{ "id": "bundle--ba4e815d-dd60-4f9b-bd06-edda52e71ce3", "spec_version": "2.0", "objects": [ { "created": "2019-08-23T14:40:59.719Z", "id": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "identity_class": "system", "modified": "2019-08-23T14:40:59.719Z", "name": "splunk", "type": "identity" }, { "created": "2019-08-23T14:38:59.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:38:59.000Z", "id": "observed-data--5fc544cd-515e-41cc-829e-05b3379bd36c", "last_observed": "2019-08-23T14:38:59.000Z", "modified": "2019-08-23T14:38:59.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzg6NTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozODo1OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:38:59 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:38:59 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:38:56.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:38:56.000Z", "id": "observed-data--a6a8c151-1443-4e00-b48f-a4d8ad9dfb22", "last_observed": "2019-08-23T14:38:56.000Z", "modified": "2019-08-23T14:38:56.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzg6NTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozODo1NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:38:56 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:38:56 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:38:52.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:38:52.000Z", "id": "observed-data--ce254d1f-d16d-4fef-bd90-7552e2cc059a", "last_observed": "2019-08-23T14:38:52.000Z", "modified": "2019-08-23T14:38:52.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzg6NTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozODo1MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:38:52 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:38:52 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:38:49.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:38:49.000Z", "id": "observed-data--ada52ce2-e5e4-499b-b596-6ee4e547147f", "last_observed": "2019-08-23T14:38:49.000Z", "modified": "2019-08-23T14:38:49.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzg6NDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozODo0OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:38:49 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:38:49 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:38:46.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:38:46.000Z", "id": "observed-data--4c360387-9718-4bc4-b4ce-ab33be23171d", "last_observed": "2019-08-23T14:38:46.000Z", "modified": "2019-08-23T14:38:46.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzg6NDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozODo0NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:38:46 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:38:46 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:38:43.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:38:43.000Z", "id": "observed-data--3ec31153-dfed-4bdb-8916-a00613fde27e", "last_observed": "2019-08-23T14:38:43.000Z", "modified": "2019-08-23T14:38:43.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzg6NDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozODo0MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:38:43 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:38:43 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:38:40.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:38:40.000Z", "id": "observed-data--b47983f7-a332-438b-b706-a06f6aa44332", "last_observed": "2019-08-23T14:38:40.000Z", "modified": "2019-08-23T14:38:40.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzg6NDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozODo0MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:38:40 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:38:40 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:38:37.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:38:37.000Z", "id": "observed-data--2c299eac-c65c-48e8-9548-d217afe0643d", "last_observed": "2019-08-23T14:38:37.000Z", "modified": "2019-08-23T14:38:37.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzg6MzcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozODozNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:38:37 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:38:37 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:38:34.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:38:34.000Z", "id": "observed-data--937f1680-f1e7-4634-8d08-dc1ed34ea122", "last_observed": "2019-08-23T14:38:34.000Z", "modified": "2019-08-23T14:38:34.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzg6MzQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozODozNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:38:34 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:38:34 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:38:30.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:38:30.000Z", "id": "observed-data--e258f03e-149b-4656-978b-5340b99824db", "last_observed": "2019-08-23T14:38:30.000Z", "modified": "2019-08-23T14:38:30.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzg6MzAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozODozMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:38:30 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:38:30 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:38:27.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:38:27.000Z", "id": "observed-data--44092182-5f55-4a3f-bbb3-6617e7b9703d", "last_observed": "2019-08-23T14:38:27.000Z", "modified": "2019-08-23T14:38:27.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzg6MjcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozODoyNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:38:27 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:38:27 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:38:24.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:38:24.000Z", "id": "observed-data--ea225391-a8ae-42ba-b575-4af2482028b1", "last_observed": "2019-08-23T14:38:24.000Z", "modified": "2019-08-23T14:38:24.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzg6MjQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozODoyNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:38:24 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:38:24 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:38:21.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:38:21.000Z", "id": "observed-data--917b285a-1e10-4d3d-a0f6-f9b875e109fd", "last_observed": "2019-08-23T14:38:21.000Z", "modified": "2019-08-23T14:38:21.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzg6MjEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozODoyMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:38:21 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:38:21 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:38:18.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:38:18.000Z", "id": "observed-data--c343e3e0-7f94-40f3-85cc-8c0df0a25371", "last_observed": "2019-08-23T14:38:18.000Z", "modified": "2019-08-23T14:38:18.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzg6MTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozODoxOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:38:18 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:38:18 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:38:15.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:38:15.000Z", "id": "observed-data--1abb5d63-2972-44cd-bfca-63704035a0cb", "last_observed": "2019-08-23T14:38:15.000Z", "modified": "2019-08-23T14:38:15.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzg6MTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozODoxNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:38:15 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:38:15 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:38:12.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:38:12.000Z", "id": "observed-data--38409a61-83c9-4ac4-b154-9dca51436657", "last_observed": "2019-08-23T14:38:12.000Z", "modified": "2019-08-23T14:38:12.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzg6MTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozODoxMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:38:12 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:38:12 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:38:08.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:38:08.000Z", "id": "observed-data--df771322-370a-4929-bfea-2d83a7252b43", "last_observed": "2019-08-23T14:38:08.000Z", "modified": "2019-08-23T14:38:08.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzg6MDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozODowOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:38:08 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:38:08 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:38:05.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:38:05.000Z", "id": "observed-data--0c0a166e-2816-4b5c-b73e-7c20fcf5be9b", "last_observed": "2019-08-23T14:38:05.000Z", "modified": "2019-08-23T14:38:05.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzg6MDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozODowNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:38:05 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:38:05 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:38:02.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:38:02.000Z", "id": "observed-data--19bce5af-5fbd-4f16-ade0-61aa19cd4d4c", "last_observed": "2019-08-23T14:38:02.000Z", "modified": "2019-08-23T14:38:02.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzg6MDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozODowMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:38:02 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:38:02 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:37:59.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:37:59.000Z", "id": "observed-data--59f0228c-f990-4b20-9ceb-783a9e73efab", "last_observed": "2019-08-23T14:37:59.000Z", "modified": "2019-08-23T14:37:59.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzc6NTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNzo1OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:37:59 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:37:59 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:37:56.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:37:56.000Z", "id": "observed-data--ba052704-82bd-42d2-9294-c9dd30d7cd2f", "last_observed": "2019-08-23T14:37:56.000Z", "modified": "2019-08-23T14:37:56.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzc6NTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNzo1NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:37:56 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:37:56 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:37:53.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:37:53.000Z", "id": "observed-data--8ef6b081-a9bb-4569-9c16-4eb6ec4380fc", "last_observed": "2019-08-23T14:37:53.000Z", "modified": "2019-08-23T14:37:53.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzc6NTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNzo1MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:37:53 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:37:53 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:37:49.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:37:49.000Z", "id": "observed-data--0225607a-f67f-43c1-843b-02e15ba1205b", "last_observed": "2019-08-23T14:37:49.000Z", "modified": "2019-08-23T14:37:49.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzc6NDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNzo0OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:37:49 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:37:49 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:37:46.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:37:46.000Z", "id": "observed-data--ba428bdf-fa6d-48b0-8415-2fb0efee97ac", "last_observed": "2019-08-23T14:37:46.000Z", "modified": "2019-08-23T14:37:46.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzc6NDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNzo0NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:37:46 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:37:46 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:37:43.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:37:43.000Z", "id": "observed-data--90aa41d2-c9f1-4e59-8de4-2d527b3c0042", "last_observed": "2019-08-23T14:37:43.000Z", "modified": "2019-08-23T14:37:43.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzc6NDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNzo0MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:37:43 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:37:43 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:37:40.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:37:40.000Z", "id": "observed-data--6a6df823-24f7-4e0b-a331-b53f5ec50ff9", "last_observed": "2019-08-23T14:37:40.000Z", "modified": "2019-08-23T14:37:40.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzc6NDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNzo0MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:37:40 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:37:40 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:37:37.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:37:37.000Z", "id": "observed-data--0ff44050-5e79-4fcd-8eb3-8b0d5f01a649", "last_observed": "2019-08-23T14:37:37.000Z", "modified": "2019-08-23T14:37:37.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzc6MzcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNzozNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:37:37 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:37:37 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:37:34.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:37:34.000Z", "id": "observed-data--938d13b0-0b0d-4f8a-9228-4da0fa47984b", "last_observed": "2019-08-23T14:37:34.000Z", "modified": "2019-08-23T14:37:34.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzc6MzQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNzozNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:37:34 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:37:34 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:37:31.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:37:31.000Z", "id": "observed-data--017ca3cd-cd2b-4d8d-8f91-90d304a420e1", "last_observed": "2019-08-23T14:37:31.000Z", "modified": "2019-08-23T14:37:31.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzc6MzEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNzozMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:37:31 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:37:31 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:37:27.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:37:27.000Z", "id": "observed-data--ddcfad59-3598-4304-980d-95c1baf26ef3", "last_observed": "2019-08-23T14:37:27.000Z", "modified": "2019-08-23T14:37:27.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzc6MjcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNzoyNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:37:27 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:37:27 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:37:24.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:37:24.000Z", "id": "observed-data--9219c85d-3777-4942-a8ec-dfafe831b94f", "last_observed": "2019-08-23T14:37:24.000Z", "modified": "2019-08-23T14:37:24.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzc6MjQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNzoyNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:37:24 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:37:24 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:37:21.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:37:21.000Z", "id": "observed-data--1c18c8f6-486b-4790-a2d0-499e34ece141", "last_observed": "2019-08-23T14:37:21.000Z", "modified": "2019-08-23T14:37:21.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzc6MjEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNzoyMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:37:21 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:37:21 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:37:18.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:37:18.000Z", "id": "observed-data--1b53e3e3-67b2-4961-a31c-52351e8ff476", "last_observed": "2019-08-23T14:37:18.000Z", "modified": "2019-08-23T14:37:18.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzc6MTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNzoxOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:37:18 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:37:18 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:37:15.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:37:15.000Z", "id": "observed-data--635a2e86-3533-40d2-ba13-af9b9a454f28", "last_observed": "2019-08-23T14:37:15.000Z", "modified": "2019-08-23T14:37:15.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzc6MTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNzoxNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:37:15 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:37:15 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:37:12.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:37:12.000Z", "id": "observed-data--adee813b-3d92-426c-be5b-08510ea5c482", "last_observed": "2019-08-23T14:37:12.000Z", "modified": "2019-08-23T14:37:12.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzc6MTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNzoxMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:37:12 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:37:12 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:37:09.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:37:09.000Z", "id": "observed-data--b1a0989d-86d2-4ee1-b7ce-da068a918d4e", "last_observed": "2019-08-23T14:37:09.000Z", "modified": "2019-08-23T14:37:09.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzc6MDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNzowOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:37:09 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:37:09 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:37:05.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:37:05.000Z", "id": "observed-data--1b1cb1a8-ac22-4b13-80bf-b512a5759582", "last_observed": "2019-08-23T14:37:05.000Z", "modified": "2019-08-23T14:37:05.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzc6MDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNzowNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:37:05 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:37:05 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:37:02.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:37:02.000Z", "id": "observed-data--e8263945-9417-46ea-8c5a-6af3c1da178d", "last_observed": "2019-08-23T14:37:02.000Z", "modified": "2019-08-23T14:37:02.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzc6MDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNzowMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:37:02 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:37:02 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:36:59.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:36:59.000Z", "id": "observed-data--2cbdbcd1-ad94-4e6e-8f48-86edaee393a9", "last_observed": "2019-08-23T14:36:59.000Z", "modified": "2019-08-23T14:36:59.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzY6NTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNjo1OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:36:59 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:36:59 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:36:56.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:36:56.000Z", "id": "observed-data--4bd3c60f-63e1-4278-a850-c639c0443943", "last_observed": "2019-08-23T14:36:56.000Z", "modified": "2019-08-23T14:36:56.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzY6NTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNjo1NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:36:56 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:36:56 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:36:53.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:36:53.000Z", "id": "observed-data--1c23cba0-e686-4c05-b44e-6f291194a909", "last_observed": "2019-08-23T14:36:53.000Z", "modified": "2019-08-23T14:36:53.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzY6NTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNjo1MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:36:53 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:36:53 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:36:50.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:36:50.000Z", "id": "observed-data--112d2b9c-4351-440f-b803-f88c4aa2fa67", "last_observed": "2019-08-23T14:36:50.000Z", "modified": "2019-08-23T14:36:50.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzY6NTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNjo1MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:36:50 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:36:50 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:36:47.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:36:47.000Z", "id": "observed-data--05cb92ff-ab31-4d39-905a-0980d8491626", "last_observed": "2019-08-23T14:36:47.000Z", "modified": "2019-08-23T14:36:47.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzY6NDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNjo0NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:36:47 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:36:47 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:36:43.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:36:43.000Z", "id": "observed-data--c28a5354-40dc-4ea1-9ccc-d8b6c67f7819", "last_observed": "2019-08-23T14:36:43.000Z", "modified": "2019-08-23T14:36:43.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzY6NDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNjo0MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:36:43 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:36:43 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:36:40.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:36:40.000Z", "id": "observed-data--9ee66198-0db3-45e3-9227-608e7a940ca8", "last_observed": "2019-08-23T14:36:40.000Z", "modified": "2019-08-23T14:36:40.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzY6NDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNjo0MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:36:40 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:36:40 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:36:37.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:36:37.000Z", "id": "observed-data--d51fd416-4a0d-469e-b740-07aacc8b7e46", "last_observed": "2019-08-23T14:36:37.000Z", "modified": "2019-08-23T14:36:37.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzY6MzcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNjozNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:36:37 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:36:37 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:36:34.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:36:34.000Z", "id": "observed-data--f374b596-21a5-4d32-9ff1-3f38999df673", "last_observed": "2019-08-23T14:36:34.000Z", "modified": "2019-08-23T14:36:34.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzY6MzQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNjozNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:36:34 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:36:34 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:36:31.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:36:31.000Z", "id": "observed-data--9c66d0b5-cb4c-49c4-b30e-294793d259e8", "last_observed": "2019-08-23T14:36:31.000Z", "modified": "2019-08-23T14:36:31.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzY6MzEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNjozMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:36:31 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:36:31 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:36:28.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:36:28.000Z", "id": "observed-data--1e71d84e-6478-41c9-ac76-232799b8a89e", "last_observed": "2019-08-23T14:36:28.000Z", "modified": "2019-08-23T14:36:28.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzY6MjggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNjoyOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:36:28 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:36:28 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:36:24.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:36:24.000Z", "id": "observed-data--3ccb65b1-4f95-45fb-9342-3ab39976be61", "last_observed": "2019-08-23T14:36:24.000Z", "modified": "2019-08-23T14:36:24.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzY6MjQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNjoyNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:36:24 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:36:24 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:36:21.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:36:21.000Z", "id": "observed-data--9bf49b85-6796-437c-9e30-89ff4754fba1", "last_observed": "2019-08-23T14:36:21.000Z", "modified": "2019-08-23T14:36:21.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzY6MjEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNjoyMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:36:21 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:36:21 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:36:18.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:36:18.000Z", "id": "observed-data--90b949f8-76f3-49c0-afb1-3106115c8ca4", "last_observed": "2019-08-23T14:36:18.000Z", "modified": "2019-08-23T14:36:18.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzY6MTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNjoxOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:36:18 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:36:18 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:36:15.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:36:15.000Z", "id": "observed-data--a2333787-7ae4-4b7e-bbf5-704b1d820de7", "last_observed": "2019-08-23T14:36:15.000Z", "modified": "2019-08-23T14:36:15.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzY6MTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNjoxNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:36:15 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:36:15 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:36:12.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:36:12.000Z", "id": "observed-data--456dc96a-be9c-4929-bf5d-b8b40572bbe2", "last_observed": "2019-08-23T14:36:12.000Z", "modified": "2019-08-23T14:36:12.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzY6MTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNjoxMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:36:12 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:36:12 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:36:09.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:36:09.000Z", "id": "observed-data--c494b2a5-aeaf-4ca7-8161-5ae8c7ced7e1", "last_observed": "2019-08-23T14:36:09.000Z", "modified": "2019-08-23T14:36:09.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzY6MDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNjowOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:36:09 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:36:09 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:36:06.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:36:06.000Z", "id": "observed-data--3d7a34bd-c788-402e-bfbd-ef8cb8c36008", "last_observed": "2019-08-23T14:36:06.000Z", "modified": "2019-08-23T14:36:06.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzY6MDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNjowNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:36:06 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:36:06 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:36:02.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:36:02.000Z", "id": "observed-data--bd7e28e9-78a9-4a00-87c4-e2be7af63ad8", "last_observed": "2019-08-23T14:36:02.000Z", "modified": "2019-08-23T14:36:02.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzY6MDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNjowMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:36:02 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:36:02 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:35:59.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:35:59.000Z", "id": "observed-data--98c13f93-15ef-4b99-8571-97bed550a8f8", "last_observed": "2019-08-23T14:35:59.000Z", "modified": "2019-08-23T14:35:59.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzU6NTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNTo1OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:35:59 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:35:59 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:35:56.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:35:56.000Z", "id": "observed-data--93a586db-0c32-4211-a9b7-4791cea38bf1", "last_observed": "2019-08-23T14:35:56.000Z", "modified": "2019-08-23T14:35:56.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzU6NTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNTo1NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:35:56 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:35:56 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:35:53.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:35:53.000Z", "id": "observed-data--273274ae-b662-440f-8e62-4d6d5ca35d27", "last_observed": "2019-08-23T14:35:53.000Z", "modified": "2019-08-23T14:35:53.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzU6NTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNTo1MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:35:53 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:35:53 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:35:50.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:35:50.000Z", "id": "observed-data--6fd38c93-c595-45b7-b31a-356406e8a126", "last_observed": "2019-08-23T14:35:50.000Z", "modified": "2019-08-23T14:35:50.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzU6NTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNTo1MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:35:50 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:35:50 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:35:47.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:35:47.000Z", "id": "observed-data--5b5679d8-42ff-48d4-943c-89c3e607cdb0", "last_observed": "2019-08-23T14:35:47.000Z", "modified": "2019-08-23T14:35:47.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzU6NDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNTo0NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:35:47 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:35:47 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:35:44.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:35:44.000Z", "id": "observed-data--85eac25b-34df-4413-9087-803e09604555", "last_observed": "2019-08-23T14:35:44.000Z", "modified": "2019-08-23T14:35:44.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzU6NDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNTo0NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:35:44 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:35:44 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:35:40.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:35:40.000Z", "id": "observed-data--d9a4fd4e-2337-4a4d-9b2c-8240e4e29050", "last_observed": "2019-08-23T14:35:40.000Z", "modified": "2019-08-23T14:35:40.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzU6NDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNTo0MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:35:40 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:35:40 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:35:37.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:35:37.000Z", "id": "observed-data--38bfa548-da27-43a0-a0d7-2a70ba001f95", "last_observed": "2019-08-23T14:35:37.000Z", "modified": "2019-08-23T14:35:37.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzU6MzcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNTozNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:35:37 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:35:37 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:35:34.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:35:34.000Z", "id": "observed-data--262d2776-0abe-4097-860d-bfe66a6d9035", "last_observed": "2019-08-23T14:35:34.000Z", "modified": "2019-08-23T14:35:34.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzU6MzQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNTozNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:35:34 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:35:34 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:35:31.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:35:31.000Z", "id": "observed-data--399416da-45e6-47ea-8bc9-751319167dc6", "last_observed": "2019-08-23T14:35:31.000Z", "modified": "2019-08-23T14:35:31.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzU6MzEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNTozMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:35:31 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:35:31 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:35:28.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:35:28.000Z", "id": "observed-data--9fea4ca7-ca7c-4ad1-9c88-5aa19decf0fc", "last_observed": "2019-08-23T14:35:28.000Z", "modified": "2019-08-23T14:35:28.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzU6MjggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNToyOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:35:28 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:35:28 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:35:25.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:35:25.000Z", "id": "observed-data--69989835-8840-49e4-bce0-55a2e7c91920", "last_observed": "2019-08-23T14:35:25.000Z", "modified": "2019-08-23T14:35:25.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzU6MjUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNToyNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:35:25 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:35:25 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:35:22.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:35:22.000Z", "id": "observed-data--c46a7a1f-a47f-456e-8107-eed725fc41f0", "last_observed": "2019-08-23T14:35:22.000Z", "modified": "2019-08-23T14:35:22.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzU6MjIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNToyMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:35:22 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:35:22 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:35:18.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:35:18.000Z", "id": "observed-data--3b643eca-db43-428a-9872-2aa6bfbc1e40", "last_observed": "2019-08-23T14:35:18.000Z", "modified": "2019-08-23T14:35:18.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzU6MTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNToxOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:35:18 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:35:18 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:35:15.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:35:15.000Z", "id": "observed-data--e92044a9-386e-45ea-995a-6bfbef48c6a3", "last_observed": "2019-08-23T14:35:15.000Z", "modified": "2019-08-23T14:35:15.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzU6MTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNToxNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:35:15 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:35:15 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:35:12.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:35:12.000Z", "id": "observed-data--d6633d91-aca1-44ba-a911-1035d52eb7e6", "last_observed": "2019-08-23T14:35:12.000Z", "modified": "2019-08-23T14:35:12.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzU6MTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNToxMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:35:12 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:35:12 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:35:09.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:35:09.000Z", "id": "observed-data--a09aa8b2-d1a5-4b82-a6fc-3254866509a4", "last_observed": "2019-08-23T14:35:09.000Z", "modified": "2019-08-23T14:35:09.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzU6MDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNTowOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:35:09 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:35:09 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:35:06.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:35:06.000Z", "id": "observed-data--bf41b2c0-11f6-4acb-826e-c1bed68a32b1", "last_observed": "2019-08-23T14:35:06.000Z", "modified": "2019-08-23T14:35:06.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzU6MDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNTowNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:35:06 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:35:06 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:35:03.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:35:03.000Z", "id": "observed-data--5b5d9fd1-9463-46dc-9b16-8637089796a5", "last_observed": "2019-08-23T14:35:03.000Z", "modified": "2019-08-23T14:35:03.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzU6MDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNTowMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:35:03 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:35:03 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:34:59.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:34:59.000Z", "id": "observed-data--e1bf723a-3962-49ae-9d68-bda33da462b7", "last_observed": "2019-08-23T14:34:59.000Z", "modified": "2019-08-23T14:34:59.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzQ6NTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNDo1OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:34:59 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:34:59 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:34:56.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:34:56.000Z", "id": "observed-data--d78cdea9-9867-4bd6-a941-beccd01d78b7", "last_observed": "2019-08-23T14:34:56.000Z", "modified": "2019-08-23T14:34:56.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzQ6NTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNDo1NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:34:56 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:34:56 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:34:53.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:34:53.000Z", "id": "observed-data--61f4da1b-3e32-455b-b1bc-187ec051910a", "last_observed": "2019-08-23T14:34:53.000Z", "modified": "2019-08-23T14:34:53.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzQ6NTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNDo1MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:34:53 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:34:53 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:34:50.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:34:50.000Z", "id": "observed-data--49327503-2d59-40d9-bab2-4a78566a2e10", "last_observed": "2019-08-23T14:34:50.000Z", "modified": "2019-08-23T14:34:50.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzQ6NTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNDo1MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:34:50 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:34:50 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:34:47.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:34:47.000Z", "id": "observed-data--5e9a03a2-42fc-4621-9fbf-60d70c186c70", "last_observed": "2019-08-23T14:34:47.000Z", "modified": "2019-08-23T14:34:47.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzQ6NDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNDo0NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:34:47 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:34:47 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:34:44.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:34:44.000Z", "id": "observed-data--2602d470-84ee-488e-922d-685bbf65ce75", "last_observed": "2019-08-23T14:34:44.000Z", "modified": "2019-08-23T14:34:44.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzQ6NDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNDo0NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:34:44 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:34:44 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:34:41.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:34:41.000Z", "id": "observed-data--5ebf67ff-687c-4cd1-9404-93336b89794f", "last_observed": "2019-08-23T14:34:41.000Z", "modified": "2019-08-23T14:34:41.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzQ6NDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNDo0MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:34:41 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:34:41 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:34:37.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:34:37.000Z", "id": "observed-data--4c0c982d-bf6d-4719-a077-e3a4fe5546ad", "last_observed": "2019-08-23T14:34:37.000Z", "modified": "2019-08-23T14:34:37.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzQ6MzcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNDozNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:34:37 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:34:37 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:34:34.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:34:34.000Z", "id": "observed-data--a069d1ec-aab6-4df3-9437-f177ec514f98", "last_observed": "2019-08-23T14:34:34.000Z", "modified": "2019-08-23T14:34:34.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzQ6MzQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNDozNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:34:34 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:34:34 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:34:31.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:34:31.000Z", "id": "observed-data--7436636c-bfaf-49c0-ae95-1a0a169f1329", "last_observed": "2019-08-23T14:34:31.000Z", "modified": "2019-08-23T14:34:31.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzQ6MzEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNDozMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:34:31 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:34:31 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:34:28.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:34:28.000Z", "id": "observed-data--dc76865a-a15d-4345-853f-6e0a98cbb688", "last_observed": "2019-08-23T14:34:28.000Z", "modified": "2019-08-23T14:34:28.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzQ6MjggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNDoyOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:34:28 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:34:28 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:34:25.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:34:25.000Z", "id": "observed-data--41f76358-ffc6-47f7-b937-228d3e996793", "last_observed": "2019-08-23T14:34:25.000Z", "modified": "2019-08-23T14:34:25.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzQ6MjUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNDoyNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:34:25 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:34:25 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:34:22.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:34:22.000Z", "id": "observed-data--3987a0f2-cd35-46ba-85d8-042b590fb5b9", "last_observed": "2019-08-23T14:34:22.000Z", "modified": "2019-08-23T14:34:22.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzQ6MjIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNDoyMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:34:22 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:34:22 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:34:19.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:34:19.000Z", "id": "observed-data--57164359-d6ec-47eb-a1fe-567daf606305", "last_observed": "2019-08-23T14:34:19.000Z", "modified": "2019-08-23T14:34:19.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzQ6MTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNDoxOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:34:19 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:34:19 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:34:15.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:34:15.000Z", "id": "observed-data--9e9df02b-07f6-40c1-8f76-aab99bb14b29", "last_observed": "2019-08-23T14:34:15.000Z", "modified": "2019-08-23T14:34:15.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzQ6MTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNDoxNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:34:15 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:34:15 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:34:12.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:34:12.000Z", "id": "observed-data--acc54024-9267-4394-ae62-f5ac9288c8a6", "last_observed": "2019-08-23T14:34:12.000Z", "modified": "2019-08-23T14:34:12.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzQ6MTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNDoxMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:34:12 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:34:12 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:34:09.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:34:09.000Z", "id": "observed-data--a7f20f6f-4edb-4e1c-b0d1-c35419530a46", "last_observed": "2019-08-23T14:34:09.000Z", "modified": "2019-08-23T14:34:09.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzQ6MDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNDowOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:34:09 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:34:09 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:34:06.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:34:06.000Z", "id": "observed-data--e5a53fd9-5316-43c5-a264-f93df7ea274d", "last_observed": "2019-08-23T14:34:06.000Z", "modified": "2019-08-23T14:34:06.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzQ6MDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNDowNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:34:06 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:34:06 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:34:03.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:34:03.000Z", "id": "observed-data--06c56f39-897a-4eaf-941f-3fda0a9b2b45", "last_observed": "2019-08-23T14:34:03.000Z", "modified": "2019-08-23T14:34:03.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzQ6MDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNDowMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:34:03 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:34:03 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:34:00.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:34:00.000Z", "id": "observed-data--2aaa3228-b245-4018-a866-f307a6456aa9", "last_observed": "2019-08-23T14:34:00.000Z", "modified": "2019-08-23T14:34:00.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzQ6MDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozNDowMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:34:00 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:34:00 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:33:57.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:33:57.000Z", "id": "observed-data--3af4c6a2-4e3b-4e08-a0a4-432d219b0b94", "last_observed": "2019-08-23T14:33:57.000Z", "modified": "2019-08-23T14:33:57.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzM6NTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMzo1NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:33:57 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:33:57 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:33:53.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:33:53.000Z", "id": "observed-data--68cec712-c9d1-41cc-8562-0a3aed08f662", "last_observed": "2019-08-23T14:33:53.000Z", "modified": "2019-08-23T14:33:53.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzM6NTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMzo1MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:33:53 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:33:53 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:33:50.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:33:50.000Z", "id": "observed-data--d749a186-5973-4a21-9b55-122009a206d0", "last_observed": "2019-08-23T14:33:50.000Z", "modified": "2019-08-23T14:33:50.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzM6NTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMzo1MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:33:50 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:33:50 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:33:47.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:33:47.000Z", "id": "observed-data--020c3b0e-e384-46b1-b7f1-5ec8de58f35e", "last_observed": "2019-08-23T14:33:47.000Z", "modified": "2019-08-23T14:33:47.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzM6NDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMzo0NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:33:47 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:33:47 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:33:44.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:33:44.000Z", "id": "observed-data--185a4ce3-d732-46bc-94e3-7906d2d3ec03", "last_observed": "2019-08-23T14:33:44.000Z", "modified": "2019-08-23T14:33:44.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzM6NDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMzo0NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:33:44 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:33:44 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:33:41.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:33:41.000Z", "id": "observed-data--714055bc-8745-45f8-9385-5eeb1ae31ca2", "last_observed": "2019-08-23T14:33:41.000Z", "modified": "2019-08-23T14:33:41.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzM6NDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMzo0MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:33:41 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:33:41 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:33:38.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:33:38.000Z", "id": "observed-data--078515aa-d88f-40e4-aeea-099b919f0e5e", "last_observed": "2019-08-23T14:33:38.000Z", "modified": "2019-08-23T14:33:38.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzM6MzggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMzozOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:33:38 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:33:38 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:33:34.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:33:34.000Z", "id": "observed-data--308d12df-0a13-4a57-83f7-63176e07bfd9", "last_observed": "2019-08-23T14:33:34.000Z", "modified": "2019-08-23T14:33:34.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzM6MzQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMzozNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:33:34 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:33:34 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:33:31.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:33:31.000Z", "id": "observed-data--a1b42908-978a-4c48-9625-60e998f4aa60", "last_observed": "2019-08-23T14:33:31.000Z", "modified": "2019-08-23T14:33:31.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzM6MzEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMzozMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:33:31 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:33:31 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:33:28.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:33:28.000Z", "id": "observed-data--e4a3a176-79cb-4736-ab86-4c44f378095b", "last_observed": "2019-08-23T14:33:28.000Z", "modified": "2019-08-23T14:33:28.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzM6MjggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMzoyOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:33:28 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:33:28 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:33:25.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:33:25.000Z", "id": "observed-data--e10b353a-3281-4ade-9b3c-30f07c3d7ea9", "last_observed": "2019-08-23T14:33:25.000Z", "modified": "2019-08-23T14:33:25.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzM6MjUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMzoyNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:33:25 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:33:25 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:33:22.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:33:22.000Z", "id": "observed-data--0d9ad5f8-296c-4db5-987e-910c1c3c6570", "last_observed": "2019-08-23T14:33:22.000Z", "modified": "2019-08-23T14:33:22.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzM6MjIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMzoyMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:33:22 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:33:22 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:33:19.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:33:19.000Z", "id": "observed-data--2b5d22c4-50b4-4978-b6b0-83289afe66e9", "last_observed": "2019-08-23T14:33:19.000Z", "modified": "2019-08-23T14:33:19.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzM6MTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMzoxOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:33:19 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:33:19 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:33:16.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:33:16.000Z", "id": "observed-data--7d2a5f77-e978-4307-90e2-a472296783dd", "last_observed": "2019-08-23T14:33:16.000Z", "modified": "2019-08-23T14:33:16.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzM6MTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMzoxNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:33:16 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:33:16 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:33:12.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:33:12.000Z", "id": "observed-data--c2caf7d6-efbb-4e9a-ab24-7763f0e961de", "last_observed": "2019-08-23T14:33:12.000Z", "modified": "2019-08-23T14:33:12.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzM6MTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMzoxMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:33:12 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:33:12 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:33:09.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:33:09.000Z", "id": "observed-data--888af630-0586-47db-a291-7610a9273b68", "last_observed": "2019-08-23T14:33:09.000Z", "modified": "2019-08-23T14:33:09.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzM6MDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMzowOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:33:09 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:33:09 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:33:06.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:33:06.000Z", "id": "observed-data--d83d7706-5b8e-462b-b902-e0d279862660", "last_observed": "2019-08-23T14:33:06.000Z", "modified": "2019-08-23T14:33:06.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzM6MDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMzowNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:33:06 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:33:06 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:33:03.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:33:03.000Z", "id": "observed-data--443bc322-563d-4858-8038-d28d18cc098e", "last_observed": "2019-08-23T14:33:03.000Z", "modified": "2019-08-23T14:33:03.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzM6MDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMzowMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:33:03 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:33:03 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:33:00.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:33:00.000Z", "id": "observed-data--c424b5b2-e6fd-4e21-aa61-f3cdb0c149f6", "last_observed": "2019-08-23T14:33:00.000Z", "modified": "2019-08-23T14:33:00.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzM6MDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMzowMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:33:00 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:33:00 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:32:57.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:32:57.000Z", "id": "observed-data--64549986-7e32-4815-af32-26c7f78295cc", "last_observed": "2019-08-23T14:32:57.000Z", "modified": "2019-08-23T14:32:57.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzI6NTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMjo1NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:32:57 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:32:57 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:32:54.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:32:54.000Z", "id": "observed-data--9cbbf92f-fa93-4797-9ae2-58e7bb2a3e89", "last_observed": "2019-08-23T14:32:54.000Z", "modified": "2019-08-23T14:32:54.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzI6NTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMjo1NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:32:54 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:32:54 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:32:50.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:32:50.000Z", "id": "observed-data--0a8ac7ed-541c-4dcb-bbec-a62e495a8d3c", "last_observed": "2019-08-23T14:32:50.000Z", "modified": "2019-08-23T14:32:50.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzI6NTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMjo1MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:32:50 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:32:50 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:32:47.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:32:47.000Z", "id": "observed-data--a0e2c9ec-fd29-4b9a-b50e-4a7b8ccf8a14", "last_observed": "2019-08-23T14:32:47.000Z", "modified": "2019-08-23T14:32:47.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzI6NDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMjo0NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:32:47 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:32:47 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:32:44.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:32:44.000Z", "id": "observed-data--b0ef3967-857a-4af0-8310-1ec4197d22fc", "last_observed": "2019-08-23T14:32:44.000Z", "modified": "2019-08-23T14:32:44.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzI6NDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMjo0NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:32:44 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:32:44 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:32:41.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:32:41.000Z", "id": "observed-data--587321c5-2377-4c1a-9264-88fff33a1088", "last_observed": "2019-08-23T14:32:41.000Z", "modified": "2019-08-23T14:32:41.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzI6NDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMjo0MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:32:41 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:32:41 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:32:38.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:32:38.000Z", "id": "observed-data--2378b880-8249-4360-b13d-67e5cf6cba83", "last_observed": "2019-08-23T14:32:38.000Z", "modified": "2019-08-23T14:32:38.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzI6MzggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMjozOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:32:38 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:32:38 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:32:35.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:32:35.000Z", "id": "observed-data--d458b087-2db7-422c-8881-851c322452dc", "last_observed": "2019-08-23T14:32:35.000Z", "modified": "2019-08-23T14:32:35.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzI6MzUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMjozNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:32:35 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:32:35 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:32:32.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:32:32.000Z", "id": "observed-data--abd87cd4-0c13-4d36-9bb7-545dc032b300", "last_observed": "2019-08-23T14:32:32.000Z", "modified": "2019-08-23T14:32:32.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzI6MzIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMjozMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:32:32 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:32:32 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:32:28.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:32:28.000Z", "id": "observed-data--95581268-db50-461d-ac97-f6083c2f2b32", "last_observed": "2019-08-23T14:32:28.000Z", "modified": "2019-08-23T14:32:28.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzI6MjggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMjoyOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:32:28 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:32:28 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:32:25.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:32:25.000Z", "id": "observed-data--e68505c0-877f-41a5-81bb-9e737b252abd", "last_observed": "2019-08-23T14:32:25.000Z", "modified": "2019-08-23T14:32:25.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzI6MjUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMjoyNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:32:25 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:32:25 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:32:22.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:32:22.000Z", "id": "observed-data--ad7410a3-b8e1-4fea-a810-b4e22ee5a918", "last_observed": "2019-08-23T14:32:22.000Z", "modified": "2019-08-23T14:32:22.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzI6MjIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMjoyMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:32:22 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:32:22 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:32:19.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:32:19.000Z", "id": "observed-data--4375580e-05f8-4f7d-9476-cda02764e95c", "last_observed": "2019-08-23T14:32:19.000Z", "modified": "2019-08-23T14:32:19.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzI6MTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMjoxOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:32:19 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:32:19 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:32:16.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:32:16.000Z", "id": "observed-data--ab8689b8-08d9-4628-810c-a85806e8db69", "last_observed": "2019-08-23T14:32:16.000Z", "modified": "2019-08-23T14:32:16.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzI6MTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMjoxNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:32:16 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:32:16 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:32:13.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:32:13.000Z", "id": "observed-data--9754ebf7-965d-4381-b436-7afc6b245beb", "last_observed": "2019-08-23T14:32:13.000Z", "modified": "2019-08-23T14:32:13.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzI6MTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMjoxMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:32:13 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:32:13 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:32:10.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:32:10.000Z", "id": "observed-data--848d3ff0-541e-40e9-8071-29f3c13dcdbc", "last_observed": "2019-08-23T14:32:10.000Z", "modified": "2019-08-23T14:32:10.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzI6MTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMjoxMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:32:10 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:32:10 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:32:06.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:32:06.000Z", "id": "observed-data--904f8d10-eee2-4952-8725-141b6796f086", "last_observed": "2019-08-23T14:32:06.000Z", "modified": "2019-08-23T14:32:06.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzI6MDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMjowNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:32:06 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:32:06 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:32:03.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:32:03.000Z", "id": "observed-data--fc074a4f-3be4-4cc9-bd2f-db566d77cc00", "last_observed": "2019-08-23T14:32:03.000Z", "modified": "2019-08-23T14:32:03.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzI6MDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMjowMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:32:03 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:32:03 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:32:00.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:32:00.000Z", "id": "observed-data--95e7df51-1874-400d-97ce-af0b7a246ebf", "last_observed": "2019-08-23T14:32:00.000Z", "modified": "2019-08-23T14:32:00.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzI6MDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMjowMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:32:00 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:32:00 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:31:57.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:31:57.000Z", "id": "observed-data--1dec7bb6-1a04-424b-832a-2753087a3965", "last_observed": "2019-08-23T14:31:57.000Z", "modified": "2019-08-23T14:31:57.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzE6NTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMTo1NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:31:57 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:31:57 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:31:54.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:31:54.000Z", "id": "observed-data--0bebee5b-fd30-4b81-bcbb-18f7e9093053", "last_observed": "2019-08-23T14:31:54.000Z", "modified": "2019-08-23T14:31:54.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzE6NTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMTo1NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:31:54 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:31:54 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:31:51.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:31:51.000Z", "id": "observed-data--f20c93dc-6ac5-4809-921a-cf77fd70b5ae", "last_observed": "2019-08-23T14:31:51.000Z", "modified": "2019-08-23T14:31:51.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzE6NTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMTo1MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:31:51 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:31:51 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:31:47.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:31:47.000Z", "id": "observed-data--f45ad799-2d3d-4fab-961f-034e5f2c9417", "last_observed": "2019-08-23T14:31:47.000Z", "modified": "2019-08-23T14:31:47.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzE6NDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMTo0NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:31:47 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:31:47 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:31:44.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:31:44.000Z", "id": "observed-data--7ee3004f-e1f1-4926-b225-4481caa23299", "last_observed": "2019-08-23T14:31:44.000Z", "modified": "2019-08-23T14:31:44.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzE6NDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMTo0NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:31:44 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:31:44 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:31:41.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:31:41.000Z", "id": "observed-data--e3dd4882-c968-41be-b96e-77681f56cd02", "last_observed": "2019-08-23T14:31:41.000Z", "modified": "2019-08-23T14:31:41.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzE6NDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMTo0MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:31:41 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:31:41 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:31:38.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:31:38.000Z", "id": "observed-data--4fe75999-4c37-4476-9df6-e7868049b391", "last_observed": "2019-08-23T14:31:38.000Z", "modified": "2019-08-23T14:31:38.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzE6MzggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMTozOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:31:38 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:31:38 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:31:35.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:31:35.000Z", "id": "observed-data--5fab9764-2d59-4680-b482-3d716c9c0fd5", "last_observed": "2019-08-23T14:31:35.000Z", "modified": "2019-08-23T14:31:35.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzE6MzUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMTozNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:31:35 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:31:35 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:31:32.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:31:32.000Z", "id": "observed-data--8bcfea00-8234-4677-a8fc-0fe19a0b3f66", "last_observed": "2019-08-23T14:31:32.000Z", "modified": "2019-08-23T14:31:32.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzE6MzIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMTozMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:31:32 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:31:32 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:31:29.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:31:29.000Z", "id": "observed-data--95cd5765-8000-4ca1-8e97-bcc84235b8da", "last_observed": "2019-08-23T14:31:29.000Z", "modified": "2019-08-23T14:31:29.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzE6MjkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMToyOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:31:29 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:31:29 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:31:25.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:31:25.000Z", "id": "observed-data--187d7763-9979-4c41-b8ea-f087c876a5af", "last_observed": "2019-08-23T14:31:25.000Z", "modified": "2019-08-23T14:31:25.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzE6MjUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMToyNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:31:25 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:31:25 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:31:22.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:31:22.000Z", "id": "observed-data--cfcbe0d8-d6e1-4491-b0c8-c7a8dd303634", "last_observed": "2019-08-23T14:31:22.000Z", "modified": "2019-08-23T14:31:22.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzE6MjIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMToyMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:31:22 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:31:22 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:31:19.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:31:19.000Z", "id": "observed-data--1288a74e-ae16-46cf-906e-10af0169202b", "last_observed": "2019-08-23T14:31:19.000Z", "modified": "2019-08-23T14:31:19.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzE6MTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMToxOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:31:19 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:31:19 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:31:16.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:31:16.000Z", "id": "observed-data--8e27a162-deac-4fc5-b54e-ef4d6f980af0", "last_observed": "2019-08-23T14:31:16.000Z", "modified": "2019-08-23T14:31:16.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzE6MTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMToxNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:31:16 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:31:16 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:31:13.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:31:13.000Z", "id": "observed-data--1549000e-b0fb-45c6-99f0-1e93b27cbff3", "last_observed": "2019-08-23T14:31:13.000Z", "modified": "2019-08-23T14:31:13.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzE6MTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMToxMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:31:13 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:31:13 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:31:10.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:31:10.000Z", "id": "observed-data--abb8c40e-62e9-4850-b8fb-60e2dbc5ac72", "last_observed": "2019-08-23T14:31:10.000Z", "modified": "2019-08-23T14:31:10.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzE6MTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMToxMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:31:10 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:31:10 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:31:07.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:31:07.000Z", "id": "observed-data--1d9e9e5d-a9d7-4921-b1cf-d6684fcd177e", "last_observed": "2019-08-23T14:31:07.000Z", "modified": "2019-08-23T14:31:07.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzE6MDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMTowNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:31:07 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:31:07 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:31:03.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:31:03.000Z", "id": "observed-data--5f507e98-d87d-4ca2-aaf7-048f0b5302fd", "last_observed": "2019-08-23T14:31:03.000Z", "modified": "2019-08-23T14:31:03.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzE6MDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMTowMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:31:03 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:31:03 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:31:00.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:31:00.000Z", "id": "observed-data--8098aba4-6922-4be7-81fb-7a256fb5d46e", "last_observed": "2019-08-23T14:31:00.000Z", "modified": "2019-08-23T14:31:00.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzE6MDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMTowMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:31:00 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:31:00 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:30:57.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:30:57.000Z", "id": "observed-data--77ae1de3-63d0-4f40-b5c5-9a3f1b9f56d1", "last_observed": "2019-08-23T14:30:57.000Z", "modified": "2019-08-23T14:30:57.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzA6NTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMDo1NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:30:57 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:30:57 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:30:54.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:30:54.000Z", "id": "observed-data--2684fd75-7db8-4849-87f1-5f1d2d137fd9", "last_observed": "2019-08-23T14:30:54.000Z", "modified": "2019-08-23T14:30:54.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzA6NTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMDo1NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:30:54 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:30:54 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:30:51.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:30:51.000Z", "id": "observed-data--7015487c-5e18-4b5a-9b17-0436dd5f884e", "last_observed": "2019-08-23T14:30:51.000Z", "modified": "2019-08-23T14:30:51.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzA6NTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMDo1MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:30:51 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:30:51 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:30:48.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:30:48.000Z", "id": "observed-data--9a06e4e7-5242-44f6-92bb-5112280c2f1c", "last_observed": "2019-08-23T14:30:48.000Z", "modified": "2019-08-23T14:30:48.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzA6NDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMDo0OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:30:48 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:30:48 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:30:45.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:30:45.000Z", "id": "observed-data--eb42a08e-87a1-4e41-a0b8-aaa1ff7c7a34", "last_observed": "2019-08-23T14:30:45.000Z", "modified": "2019-08-23T14:30:45.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzA6NDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMDo0NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:30:45 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:30:45 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:30:41.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:30:41.000Z", "id": "observed-data--8623d3be-0a8b-4de8-9fda-85ea451f51a8", "last_observed": "2019-08-23T14:30:41.000Z", "modified": "2019-08-23T14:30:41.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzA6NDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMDo0MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:30:41 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:30:41 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:30:38.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:30:38.000Z", "id": "observed-data--011f80b5-f556-459e-a1d7-548d5df3f63c", "last_observed": "2019-08-23T14:30:38.000Z", "modified": "2019-08-23T14:30:38.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzA6MzggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMDozOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:30:38 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:30:38 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:30:35.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:30:35.000Z", "id": "observed-data--f6730e19-1ee4-4723-b87d-6915171620c5", "last_observed": "2019-08-23T14:30:35.000Z", "modified": "2019-08-23T14:30:35.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzA6MzUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMDozNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:30:35 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:30:35 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:30:32.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:30:32.000Z", "id": "observed-data--f4cecd2e-0b4d-4736-b222-8b37074b5b76", "last_observed": "2019-08-23T14:30:32.000Z", "modified": "2019-08-23T14:30:32.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzA6MzIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMDozMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:30:32 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:30:32 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:30:29.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:30:29.000Z", "id": "observed-data--8a32804f-2b58-4468-b22f-a789c0c67424", "last_observed": "2019-08-23T14:30:29.000Z", "modified": "2019-08-23T14:30:29.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzA6MjkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMDoyOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:30:29 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:30:29 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:30:26.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:30:26.000Z", "id": "observed-data--05f169f6-6bdc-483c-b116-9cb6d5380679", "last_observed": "2019-08-23T14:30:26.000Z", "modified": "2019-08-23T14:30:26.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzA6MjYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMDoyNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:30:26 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:30:26 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:30:23.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:30:23.000Z", "id": "observed-data--dc4e0595-dfe9-471b-a6ac-add8c50d4ac7", "last_observed": "2019-08-23T14:30:23.000Z", "modified": "2019-08-23T14:30:23.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzA6MjMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMDoyMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:30:23 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:30:23 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:30:19.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:30:19.000Z", "id": "observed-data--e55cf53f-7dac-465c-8007-8777ae3e2242", "last_observed": "2019-08-23T14:30:19.000Z", "modified": "2019-08-23T14:30:19.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzA6MTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMDoxOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:30:19 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:30:19 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:30:16.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:30:16.000Z", "id": "observed-data--03437e95-2f04-4d8f-9f5c-3a6a926d4698", "last_observed": "2019-08-23T14:30:16.000Z", "modified": "2019-08-23T14:30:16.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzA6MTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMDoxNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:30:16 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:30:16 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:30:13.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:30:13.000Z", "id": "observed-data--54638cbf-39df-4a17-aa04-1197acb86f6c", "last_observed": "2019-08-23T14:30:13.000Z", "modified": "2019-08-23T14:30:13.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzA6MTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMDoxMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:30:13 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:30:13 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:30:10.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:30:10.000Z", "id": "observed-data--e5618f35-6591-42d7-8ce9-cd2978b93b6c", "last_observed": "2019-08-23T14:30:10.000Z", "modified": "2019-08-23T14:30:10.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzA6MTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMDoxMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:30:10 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:30:10 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:30:07.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:30:07.000Z", "id": "observed-data--4ed3c9b6-1ac1-41d4-a952-a367e721fff4", "last_observed": "2019-08-23T14:30:07.000Z", "modified": "2019-08-23T14:30:07.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzA6MDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMDowNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:30:07 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:30:07 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:30:04.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:30:04.000Z", "id": "observed-data--f5b2d40a-1c19-4df7-a275-2998cade9873", "last_observed": "2019-08-23T14:30:04.000Z", "modified": "2019-08-23T14:30:04.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzA6MDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMDowNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:30:04 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:30:04 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:30:01.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:30:01.000Z", "id": "observed-data--067da2ad-e42d-4cb2-9e23-a6cd7277cf24", "last_observed": "2019-08-23T14:30:01.000Z", "modified": "2019-08-23T14:30:01.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MzA6MDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozMDowMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:30:01 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:30:01 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:29:57.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:29:57.000Z", "id": "observed-data--edc7edf9-e94d-45c9-a1d5-74e93f03ae5f", "last_observed": "2019-08-23T14:29:57.000Z", "modified": "2019-08-23T14:29:57.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjk6NTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyOTo1NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:29:57 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:29:57 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:29:54.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:29:54.000Z", "id": "observed-data--a0989453-64d9-4d6a-b79f-cea0e636e40b", "last_observed": "2019-08-23T14:29:54.000Z", "modified": "2019-08-23T14:29:54.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjk6NTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyOTo1NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:29:54 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:29:54 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:29:51.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:29:51.000Z", "id": "observed-data--74c89322-2076-452c-a10d-2bca7545cecc", "last_observed": "2019-08-23T14:29:51.000Z", "modified": "2019-08-23T14:29:51.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjk6NTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyOTo1MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:29:51 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:29:51 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:29:48.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:29:48.000Z", "id": "observed-data--d87e4754-fc1c-476e-97b3-b2226c701d40", "last_observed": "2019-08-23T14:29:48.000Z", "modified": "2019-08-23T14:29:48.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjk6NDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyOTo0OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:29:48 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:29:48 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:29:45.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:29:45.000Z", "id": "observed-data--76a6adb2-94c9-4063-8b03-87ec6ef09893", "last_observed": "2019-08-23T14:29:45.000Z", "modified": "2019-08-23T14:29:45.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjk6NDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyOTo0NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:29:45 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:29:45 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:29:42.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:29:42.000Z", "id": "observed-data--c1c7c131-324c-4ee4-84c7-c11f0c596189", "last_observed": "2019-08-23T14:29:42.000Z", "modified": "2019-08-23T14:29:42.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjk6NDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyOTo0MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:29:42 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:29:42 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:29:38.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:29:38.000Z", "id": "observed-data--1284bfd6-fd71-498b-9e3b-a92840f46bcb", "last_observed": "2019-08-23T14:29:38.000Z", "modified": "2019-08-23T14:29:38.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjk6MzggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyOTozOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:29:38 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:29:38 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:29:35.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:29:35.000Z", "id": "observed-data--aa847966-a4b9-4c4c-9a24-adc0ba71f4a1", "last_observed": "2019-08-23T14:29:35.000Z", "modified": "2019-08-23T14:29:35.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjk6MzUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyOTozNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:29:35 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:29:35 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:29:32.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:29:32.000Z", "id": "observed-data--a8ab89d1-eb29-4ed1-80d1-2ff81a858670", "last_observed": "2019-08-23T14:29:32.000Z", "modified": "2019-08-23T14:29:32.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjk6MzIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyOTozMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:29:32 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:29:32 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:29:29.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:29:29.000Z", "id": "observed-data--8ab27851-24ca-4bdf-af23-1258f094085b", "last_observed": "2019-08-23T14:29:29.000Z", "modified": "2019-08-23T14:29:29.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjk6MjkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyOToyOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:29:29 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:29:29 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:29:26.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:29:26.000Z", "id": "observed-data--3448f469-3bbf-4f53-aa1d-9e6397e95ec0", "last_observed": "2019-08-23T14:29:26.000Z", "modified": "2019-08-23T14:29:26.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjk6MjYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyOToyNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:29:26 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:29:26 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:29:23.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:29:23.000Z", "id": "observed-data--06657aab-cf72-4c78-bc9a-be909d75ce1d", "last_observed": "2019-08-23T14:29:23.000Z", "modified": "2019-08-23T14:29:23.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjk6MjMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyOToyMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:29:23 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:29:23 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:29:20.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:29:20.000Z", "id": "observed-data--02bd9fb8-2594-4432-9b9f-79948d66d3d1", "last_observed": "2019-08-23T14:29:20.000Z", "modified": "2019-08-23T14:29:20.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjk6MjAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyOToyMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:29:20 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:29:20 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:29:16.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:29:16.000Z", "id": "observed-data--444904ae-6b96-4f69-b1ea-b9ddde7c493e", "last_observed": "2019-08-23T14:29:16.000Z", "modified": "2019-08-23T14:29:16.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjk6MTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyOToxNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:29:16 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:29:16 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:29:13.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:29:13.000Z", "id": "observed-data--c7824b6d-72bf-479c-8094-1cc63c9c1972", "last_observed": "2019-08-23T14:29:13.000Z", "modified": "2019-08-23T14:29:13.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjk6MTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyOToxMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:29:13 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:29:13 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:29:10.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:29:10.000Z", "id": "observed-data--c15302eb-0f7e-44ba-9e6b-214b2844fb3e", "last_observed": "2019-08-23T14:29:10.000Z", "modified": "2019-08-23T14:29:10.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjk6MTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyOToxMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:29:10 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:29:10 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:29:07.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:29:07.000Z", "id": "observed-data--d567aa5b-a58f-404d-8821-f7c89ef284db", "last_observed": "2019-08-23T14:29:07.000Z", "modified": "2019-08-23T14:29:07.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjk6MDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyOTowNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:29:07 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:29:07 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:29:04.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:29:04.000Z", "id": "observed-data--d1364d2d-2c1b-4c84-8bf2-ae7dd1bf13b5", "last_observed": "2019-08-23T14:29:04.000Z", "modified": "2019-08-23T14:29:04.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjk6MDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyOTowNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:29:04 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:29:04 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:29:01.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:29:01.000Z", "id": "observed-data--99e00da7-bd64-4a3c-8d64-525c42016dbf", "last_observed": "2019-08-23T14:29:01.000Z", "modified": "2019-08-23T14:29:01.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjk6MDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyOTowMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:29:01 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:29:01 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:28:58.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:28:58.000Z", "id": "observed-data--a98106d6-ce3a-46a1-8a11-3b97b4415f27", "last_observed": "2019-08-23T14:28:58.000Z", "modified": "2019-08-23T14:28:58.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjg6NTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyODo1OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:28:58 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:28:58 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:28:54.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:28:54.000Z", "id": "observed-data--f8e8ce26-0112-4963-9fc8-fde8458fe4e7", "last_observed": "2019-08-23T14:28:54.000Z", "modified": "2019-08-23T14:28:54.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjg6NTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyODo1NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:28:54 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:28:54 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:28:51.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:28:51.000Z", "id": "observed-data--6b76a08f-bdc3-481e-92f4-22a3a4179916", "last_observed": "2019-08-23T14:28:51.000Z", "modified": "2019-08-23T14:28:51.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjg6NTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyODo1MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:28:51 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:28:51 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:28:48.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:28:48.000Z", "id": "observed-data--90056011-952b-42de-88fd-fb1042007036", "last_observed": "2019-08-23T14:28:48.000Z", "modified": "2019-08-23T14:28:48.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjg6NDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyODo0OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:28:48 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:28:48 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:28:45.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:28:45.000Z", "id": "observed-data--fb5e3b5b-3a29-4662-bbae-70a58720c982", "last_observed": "2019-08-23T14:28:45.000Z", "modified": "2019-08-23T14:28:45.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjg6NDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyODo0NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:28:45 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:28:45 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:28:42.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:28:42.000Z", "id": "observed-data--033b4892-3b3c-46b4-bf5b-7668091d8b73", "last_observed": "2019-08-23T14:28:42.000Z", "modified": "2019-08-23T14:28:42.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjg6NDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyODo0MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:28:42 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:28:42 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:28:39.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:28:39.000Z", "id": "observed-data--4295e01b-3f6c-45cd-bce2-87dce81c901d", "last_observed": "2019-08-23T14:28:39.000Z", "modified": "2019-08-23T14:28:39.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjg6MzkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyODozOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:28:39 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:28:39 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:28:36.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:28:36.000Z", "id": "observed-data--655a3ab1-0e33-4954-9ebf-548bec111ac6", "last_observed": "2019-08-23T14:28:36.000Z", "modified": "2019-08-23T14:28:36.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjg6MzYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyODozNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:28:36 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:28:36 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:28:32.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:28:32.000Z", "id": "observed-data--ea1c0e24-18f7-40b3-a3b6-aa8b2941ff1f", "last_observed": "2019-08-23T14:28:32.000Z", "modified": "2019-08-23T14:28:32.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjg6MzIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyODozMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:28:32 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:28:32 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:28:29.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:28:29.000Z", "id": "observed-data--ce0cddde-4d72-4a39-a631-887db54b0cbb", "last_observed": "2019-08-23T14:28:29.000Z", "modified": "2019-08-23T14:28:29.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjg6MjkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyODoyOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:28:29 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:28:29 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:28:26.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:28:26.000Z", "id": "observed-data--3ad8d5c8-9d8d-4402-b151-e3218021291d", "last_observed": "2019-08-23T14:28:26.000Z", "modified": "2019-08-23T14:28:26.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjg6MjYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyODoyNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:28:26 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:28:26 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:28:23.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:28:23.000Z", "id": "observed-data--4b7d059d-e750-4f15-90f3-25dc70e9b91c", "last_observed": "2019-08-23T14:28:23.000Z", "modified": "2019-08-23T14:28:23.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjg6MjMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyODoyMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:28:23 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:28:23 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:28:20.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:28:20.000Z", "id": "observed-data--e9fd5f2e-ff37-4c11-a684-e01bcea0bd8a", "last_observed": "2019-08-23T14:28:20.000Z", "modified": "2019-08-23T14:28:20.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjg6MjAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyODoyMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:28:20 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:28:20 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:28:17.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:28:17.000Z", "id": "observed-data--a2a71594-c191-4390-ae6d-6c02f9cb84c8", "last_observed": "2019-08-23T14:28:17.000Z", "modified": "2019-08-23T14:28:17.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjg6MTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyODoxNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:28:17 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:28:17 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:28:14.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:28:14.000Z", "id": "observed-data--fb640c12-59bc-4c93-bd8a-43c6e35565b2", "last_observed": "2019-08-23T14:28:14.000Z", "modified": "2019-08-23T14:28:14.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjg6MTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyODoxNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:28:14 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:28:14 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:28:10.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:28:10.000Z", "id": "observed-data--279238b8-9269-450d-a8c6-4b073e136b7b", "last_observed": "2019-08-23T14:28:10.000Z", "modified": "2019-08-23T14:28:10.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjg6MTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyODoxMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:28:10 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:28:10 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:28:07.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:28:07.000Z", "id": "observed-data--961730f6-4317-460f-8032-66e511e7a766", "last_observed": "2019-08-23T14:28:07.000Z", "modified": "2019-08-23T14:28:07.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjg6MDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyODowNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:28:07 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:28:07 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:28:04.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:28:04.000Z", "id": "observed-data--c147b648-db77-41b3-90dc-744fe5f83f65", "last_observed": "2019-08-23T14:28:04.000Z", "modified": "2019-08-23T14:28:04.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjg6MDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyODowNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:28:04 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:28:04 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:28:01.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:28:01.000Z", "id": "observed-data--1a8ca1e0-46f4-4a9c-b9d8-9c5728142286", "last_observed": "2019-08-23T14:28:01.000Z", "modified": "2019-08-23T14:28:01.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjg6MDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyODowMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:28:01 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:28:01 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:27:58.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:27:58.000Z", "id": "observed-data--845605f2-2731-42c9-8e00-a9161e0bb639", "last_observed": "2019-08-23T14:27:58.000Z", "modified": "2019-08-23T14:27:58.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjc6NTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNzo1OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:27:58 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:27:58 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:27:55.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:27:55.000Z", "id": "observed-data--5a14ae3d-d8b8-466c-8312-402cc5daf1f8", "last_observed": "2019-08-23T14:27:55.000Z", "modified": "2019-08-23T14:27:55.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjc6NTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNzo1NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:27:55 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:27:55 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:27:51.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:27:51.000Z", "id": "observed-data--86bac7b0-c4b9-4004-a65a-22866f0b3a2b", "last_observed": "2019-08-23T14:27:51.000Z", "modified": "2019-08-23T14:27:51.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjc6NTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNzo1MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:27:51 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:27:51 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:27:48.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:27:48.000Z", "id": "observed-data--a4cb6c3f-a533-42fa-8455-6678c484c010", "last_observed": "2019-08-23T14:27:48.000Z", "modified": "2019-08-23T14:27:48.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjc6NDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNzo0OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:27:48 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:27:48 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:27:45.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:27:45.000Z", "id": "observed-data--3cc2fe33-f1ed-4068-9d76-10ce86855c40", "last_observed": "2019-08-23T14:27:45.000Z", "modified": "2019-08-23T14:27:45.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjc6NDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNzo0NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:27:45 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:27:45 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:27:42.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:27:42.000Z", "id": "observed-data--a5f18c5f-c7e3-41ac-8372-cc9c9226aea0", "last_observed": "2019-08-23T14:27:42.000Z", "modified": "2019-08-23T14:27:42.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjc6NDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNzo0MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:27:42 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:27:42 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:27:39.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:27:39.000Z", "id": "observed-data--7067f0c5-3722-4474-843d-79cf0e311256", "last_observed": "2019-08-23T14:27:39.000Z", "modified": "2019-08-23T14:27:39.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjc6MzkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNzozOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:27:39 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:27:39 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:27:36.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:27:36.000Z", "id": "observed-data--abf5dc6f-4ddc-4e6d-9731-044db3842985", "last_observed": "2019-08-23T14:27:36.000Z", "modified": "2019-08-23T14:27:36.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjc6MzYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNzozNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:27:36 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:27:36 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:27:33.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:27:33.000Z", "id": "observed-data--1c312d6f-6f85-4141-b599-6f047555c951", "last_observed": "2019-08-23T14:27:33.000Z", "modified": "2019-08-23T14:27:33.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjc6MzMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNzozMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:27:33 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:27:33 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:27:29.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:27:29.000Z", "id": "observed-data--97754243-7c3e-451d-b3ff-dd82dc8fb488", "last_observed": "2019-08-23T14:27:29.000Z", "modified": "2019-08-23T14:27:29.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjc6MjkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNzoyOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:27:29 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:27:29 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:27:26.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:27:26.000Z", "id": "observed-data--d7a24ff4-05bd-449b-b568-2ee54215b170", "last_observed": "2019-08-23T14:27:26.000Z", "modified": "2019-08-23T14:27:26.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjc6MjYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNzoyNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:27:26 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:27:26 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:27:23.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:27:23.000Z", "id": "observed-data--3fc5674b-74e4-4763-a19c-f1a7b6d5b1c0", "last_observed": "2019-08-23T14:27:23.000Z", "modified": "2019-08-23T14:27:23.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjc6MjMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNzoyMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:27:23 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:27:23 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:27:20.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:27:20.000Z", "id": "observed-data--f4c79f39-a061-4a44-8584-2bc77dc3838d", "last_observed": "2019-08-23T14:27:20.000Z", "modified": "2019-08-23T14:27:20.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjc6MjAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNzoyMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:27:20 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:27:20 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:27:17.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:27:17.000Z", "id": "observed-data--e218b512-e67d-4b04-8335-242d6e7058bc", "last_observed": "2019-08-23T14:27:17.000Z", "modified": "2019-08-23T14:27:17.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjc6MTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNzoxNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:27:17 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:27:17 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:27:14.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:27:14.000Z", "id": "observed-data--ee4e8271-c423-4009-a16b-3ca32c93bf66", "last_observed": "2019-08-23T14:27:14.000Z", "modified": "2019-08-23T14:27:14.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjc6MTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNzoxNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:27:14 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:27:14 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:27:11.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:27:11.000Z", "id": "observed-data--580cfde0-f796-4fdf-84be-dc85fec28cfe", "last_observed": "2019-08-23T14:27:11.000Z", "modified": "2019-08-23T14:27:11.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjc6MTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNzoxMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:27:11 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:27:11 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:27:07.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:27:07.000Z", "id": "observed-data--88e84e3c-ea02-4b13-87ac-fc2f41663250", "last_observed": "2019-08-23T14:27:07.000Z", "modified": "2019-08-23T14:27:07.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjc6MDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNzowNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:27:07 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:27:07 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:27:04.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:27:04.000Z", "id": "observed-data--09e36037-c2f8-4903-854b-3b911efffe25", "last_observed": "2019-08-23T14:27:04.000Z", "modified": "2019-08-23T14:27:04.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjc6MDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNzowNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:27:04 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:27:04 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:27:01.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:27:01.000Z", "id": "observed-data--1ef54bf2-e035-441d-9c94-ef6429cfa625", "last_observed": "2019-08-23T14:27:01.000Z", "modified": "2019-08-23T14:27:01.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mjc6MDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNzowMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:27:01 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:27:01 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:26:58.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:26:58.000Z", "id": "observed-data--8b27c240-b9d9-469c-a08a-0b267c58aa1e", "last_observed": "2019-08-23T14:26:58.000Z", "modified": "2019-08-23T14:26:58.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjY6NTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNjo1OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:26:58 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:26:58 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:26:55.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:26:55.000Z", "id": "observed-data--5241563c-d250-44d0-bae7-3ac4060c3221", "last_observed": "2019-08-23T14:26:55.000Z", "modified": "2019-08-23T14:26:55.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjY6NTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNjo1NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:26:55 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:26:55 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:26:52.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:26:52.000Z", "id": "observed-data--16c76c3b-8c50-4f46-a8f0-1120c4839ee1", "last_observed": "2019-08-23T14:26:52.000Z", "modified": "2019-08-23T14:26:52.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjY6NTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNjo1MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:26:52 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:26:52 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:26:49.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:26:49.000Z", "id": "observed-data--51434dd2-196c-4464-b284-79759ffaa1d3", "last_observed": "2019-08-23T14:26:49.000Z", "modified": "2019-08-23T14:26:49.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjY6NDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNjo0OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:26:49 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:26:49 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:26:45.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:26:45.000Z", "id": "observed-data--7797a735-f0cd-4afd-a31b-8148df52fbaa", "last_observed": "2019-08-23T14:26:45.000Z", "modified": "2019-08-23T14:26:45.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjY6NDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNjo0NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:26:45 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:26:45 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:26:42.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:26:42.000Z", "id": "observed-data--967d78a6-8793-4d7c-8a07-92cd111856f0", "last_observed": "2019-08-23T14:26:42.000Z", "modified": "2019-08-23T14:26:42.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjY6NDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNjo0MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:26:42 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:26:42 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:26:39.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:26:39.000Z", "id": "observed-data--8568967c-e1ac-4716-847e-1692fa37efa7", "last_observed": "2019-08-23T14:26:39.000Z", "modified": "2019-08-23T14:26:39.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjY6MzkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNjozOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:26:39 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:26:39 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:26:36.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:26:36.000Z", "id": "observed-data--fc64b79e-7b9c-4a1c-a590-8be43ea76b0e", "last_observed": "2019-08-23T14:26:36.000Z", "modified": "2019-08-23T14:26:36.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjY6MzYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNjozNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:26:36 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:26:36 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:26:33.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:26:33.000Z", "id": "observed-data--9cca35ea-9846-4509-a93b-512bf342a961", "last_observed": "2019-08-23T14:26:33.000Z", "modified": "2019-08-23T14:26:33.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjY6MzMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNjozMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:26:33 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:26:33 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:26:30.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:26:30.000Z", "id": "observed-data--707fe00e-46ca-4196-a8ca-fce127f54aa9", "last_observed": "2019-08-23T14:26:30.000Z", "modified": "2019-08-23T14:26:30.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjY6MzAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNjozMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:26:30 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:26:30 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:26:27.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:26:27.000Z", "id": "observed-data--e575a837-e7b5-4241-981d-ba8b553681c8", "last_observed": "2019-08-23T14:26:27.000Z", "modified": "2019-08-23T14:26:27.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjY6MjcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNjoyNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:26:27 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:26:27 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:26:23.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:26:23.000Z", "id": "observed-data--78751aa1-3b2d-4a99-a183-5edacd4d3893", "last_observed": "2019-08-23T14:26:23.000Z", "modified": "2019-08-23T14:26:23.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjY6MjMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNjoyMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:26:23 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:26:23 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:26:20.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:26:20.000Z", "id": "observed-data--8a4965f4-1e7b-4050-96b2-f84efe761d4b", "last_observed": "2019-08-23T14:26:20.000Z", "modified": "2019-08-23T14:26:20.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjY6MjAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNjoyMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:26:20 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:26:20 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:26:17.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:26:17.000Z", "id": "observed-data--9d822009-f5e1-4cd1-beb2-3924b8dc86b5", "last_observed": "2019-08-23T14:26:17.000Z", "modified": "2019-08-23T14:26:17.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjY6MTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNjoxNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:26:17 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:26:17 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:26:14.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:26:14.000Z", "id": "observed-data--1ab177f9-5aa9-4119-9e76-846e7a2f905f", "last_observed": "2019-08-23T14:26:14.000Z", "modified": "2019-08-23T14:26:14.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjY6MTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNjoxNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:26:14 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:26:14 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:26:11.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:26:11.000Z", "id": "observed-data--3fab1a7d-de2b-4a54-bbb0-0e23e4155e97", "last_observed": "2019-08-23T14:26:11.000Z", "modified": "2019-08-23T14:26:11.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjY6MTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNjoxMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:26:11 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:26:11 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:26:08.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:26:08.000Z", "id": "observed-data--fcb7a10f-1feb-4dca-b1cc-87559a92b7fb", "last_observed": "2019-08-23T14:26:08.000Z", "modified": "2019-08-23T14:26:08.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjY6MDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNjowOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:26:08 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:26:08 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:26:04.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:26:04.000Z", "id": "observed-data--0e1432e6-0b78-4bb1-8ee4-573d292aa5ad", "last_observed": "2019-08-23T14:26:04.000Z", "modified": "2019-08-23T14:26:04.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjY6MDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNjowNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:26:04 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:26:04 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:26:01.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:26:01.000Z", "id": "observed-data--6135a301-85b6-4386-a2d0-e1d4690d3d7b", "last_observed": "2019-08-23T14:26:01.000Z", "modified": "2019-08-23T14:26:01.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjY6MDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNjowMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:26:01 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:26:01 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:25:58.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:25:58.000Z", "id": "observed-data--8fa5e1f5-6797-45f5-9956-47d86c728e93", "last_observed": "2019-08-23T14:25:58.000Z", "modified": "2019-08-23T14:25:58.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjU6NTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNTo1OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:25:58 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:25:58 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:25:55.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:25:55.000Z", "id": "observed-data--111a3524-3d8b-482d-bcbc-00f311d4da4e", "last_observed": "2019-08-23T14:25:55.000Z", "modified": "2019-08-23T14:25:55.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjU6NTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNTo1NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:25:55 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:25:55 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:25:52.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:25:52.000Z", "id": "observed-data--6e105dc1-6fa5-4dd1-aab5-e20566a89127", "last_observed": "2019-08-23T14:25:52.000Z", "modified": "2019-08-23T14:25:52.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjU6NTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNTo1MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:25:52 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:25:52 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:25:49.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:25:49.000Z", "id": "observed-data--0914f2ae-ce41-4ce8-8798-90a107a21357", "last_observed": "2019-08-23T14:25:49.000Z", "modified": "2019-08-23T14:25:49.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjU6NDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNTo0OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:25:49 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:25:49 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:25:46.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:25:46.000Z", "id": "observed-data--e8c5295b-3a6e-4421-94fb-f2ed5ba0691c", "last_observed": "2019-08-23T14:25:46.000Z", "modified": "2019-08-23T14:25:46.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjU6NDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNTo0NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:25:46 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:25:46 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:25:42.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:25:42.000Z", "id": "observed-data--3e9b64c7-36ad-4260-9b22-1f46ebe54fe1", "last_observed": "2019-08-23T14:25:42.000Z", "modified": "2019-08-23T14:25:42.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjU6NDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNTo0MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:25:42 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:25:42 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:25:39.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:25:39.000Z", "id": "observed-data--4d9923c9-53e6-4af9-9133-dda4e833fab2", "last_observed": "2019-08-23T14:25:39.000Z", "modified": "2019-08-23T14:25:39.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjU6MzkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNTozOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:25:39 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:25:39 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:25:36.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:25:36.000Z", "id": "observed-data--a9b9c61b-203a-438e-96ae-ff72c86bca25", "last_observed": "2019-08-23T14:25:36.000Z", "modified": "2019-08-23T14:25:36.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjU6MzYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNTozNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:25:36 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:25:36 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:25:33.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:25:33.000Z", "id": "observed-data--d77886a3-1c25-4f59-8d5b-1de26d572789", "last_observed": "2019-08-23T14:25:33.000Z", "modified": "2019-08-23T14:25:33.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjU6MzMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNTozMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:25:33 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:25:33 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:25:30.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:25:30.000Z", "id": "observed-data--38547d5c-da46-478a-95af-a7e423db254e", "last_observed": "2019-08-23T14:25:30.000Z", "modified": "2019-08-23T14:25:30.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjU6MzAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNTozMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:25:30 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:25:30 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:25:27.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:25:27.000Z", "id": "observed-data--9f8b814f-b0a3-43ad-90e9-8af33153b82e", "last_observed": "2019-08-23T14:25:27.000Z", "modified": "2019-08-23T14:25:27.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjU6MjcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNToyNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:25:27 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:25:27 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:25:24.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:25:24.000Z", "id": "observed-data--6bc36d55-da2e-4e8a-bb51-63b8f12b0b8f", "last_observed": "2019-08-23T14:25:24.000Z", "modified": "2019-08-23T14:25:24.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjU6MjQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNToyNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:25:24 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:25:24 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:25:20.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:25:20.000Z", "id": "observed-data--adb2be71-4386-45af-9977-2c4ac714d244", "last_observed": "2019-08-23T14:25:20.000Z", "modified": "2019-08-23T14:25:20.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjU6MjAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNToyMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:25:20 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:25:20 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:25:17.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:25:17.000Z", "id": "observed-data--38c3a880-0c30-49e6-94ff-db90eb06e65a", "last_observed": "2019-08-23T14:25:17.000Z", "modified": "2019-08-23T14:25:17.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjU6MTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNToxNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:25:17 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:25:17 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:25:14.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:25:14.000Z", "id": "observed-data--864c7171-fdf8-4ac2-9fe4-6ed8f63f4e88", "last_observed": "2019-08-23T14:25:14.000Z", "modified": "2019-08-23T14:25:14.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjU6MTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNToxNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:25:14 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:25:14 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:25:11.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:25:11.000Z", "id": "observed-data--ef5bc458-5250-4867-b039-9b96d44b8164", "last_observed": "2019-08-23T14:25:11.000Z", "modified": "2019-08-23T14:25:11.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjU6MTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNToxMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:25:11 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:25:11 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:25:08.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:25:08.000Z", "id": "observed-data--337e8af5-97a7-4be1-bf96-b9bb74b8e638", "last_observed": "2019-08-23T14:25:08.000Z", "modified": "2019-08-23T14:25:08.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjU6MDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNTowOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:25:08 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:25:08 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:25:05.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:25:05.000Z", "id": "observed-data--abdd1288-8d76-46e1-a41c-ffc2d3ffa897", "last_observed": "2019-08-23T14:25:05.000Z", "modified": "2019-08-23T14:25:05.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjU6MDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNTowNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:25:05 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:25:05 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:25:02.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:25:02.000Z", "id": "observed-data--49de9087-3e33-4cfc-9479-734a1227ebac", "last_observed": "2019-08-23T14:25:02.000Z", "modified": "2019-08-23T14:25:02.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjU6MDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNTowMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:25:02 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:25:02 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:24:58.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:24:58.000Z", "id": "observed-data--e1d20cdc-213b-4930-abf0-2dee5a68e696", "last_observed": "2019-08-23T14:24:58.000Z", "modified": "2019-08-23T14:24:58.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjQ6NTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNDo1OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:24:58 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:24:58 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:24:55.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:24:55.000Z", "id": "observed-data--c207e64c-7851-4b70-80f4-d7b673ad2524", "last_observed": "2019-08-23T14:24:55.000Z", "modified": "2019-08-23T14:24:55.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjQ6NTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNDo1NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:24:55 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:24:55 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:24:52.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:24:52.000Z", "id": "observed-data--067581a2-b3af-4d3d-9169-cecbbb1d5587", "last_observed": "2019-08-23T14:24:52.000Z", "modified": "2019-08-23T14:24:52.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjQ6NTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNDo1MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:24:52 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:24:52 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:24:49.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:24:49.000Z", "id": "observed-data--35bef28c-1ec4-477b-a28b-2d8c863ae79f", "last_observed": "2019-08-23T14:24:49.000Z", "modified": "2019-08-23T14:24:49.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjQ6NDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNDo0OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:24:49 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:24:49 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:24:46.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:24:46.000Z", "id": "observed-data--7fe20a58-a6a6-45d6-a40c-d3e7f8bdcadf", "last_observed": "2019-08-23T14:24:46.000Z", "modified": "2019-08-23T14:24:46.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjQ6NDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNDo0NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:24:46 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:24:46 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:24:43.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:24:43.000Z", "id": "observed-data--ca5e64df-98f7-48a2-93bd-4d4d22feecac", "last_observed": "2019-08-23T14:24:43.000Z", "modified": "2019-08-23T14:24:43.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjQ6NDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNDo0MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:24:43 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:24:43 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:24:40.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:24:40.000Z", "id": "observed-data--9a140286-4ba8-44d3-8687-a40c07695e8a", "last_observed": "2019-08-23T14:24:40.000Z", "modified": "2019-08-23T14:24:40.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjQ6NDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNDo0MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:24:40 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:24:40 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:24:36.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:24:36.000Z", "id": "observed-data--d1816159-8b4b-41cd-926c-e22956726525", "last_observed": "2019-08-23T14:24:36.000Z", "modified": "2019-08-23T14:24:36.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjQ6MzYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNDozNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:24:36 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:24:36 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:24:33.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:24:33.000Z", "id": "observed-data--cb4fbecd-677c-4341-b7c9-c23d0375b138", "last_observed": "2019-08-23T14:24:33.000Z", "modified": "2019-08-23T14:24:33.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjQ6MzMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNDozMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:24:33 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:24:33 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:24:30.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:24:30.000Z", "id": "observed-data--9aabbf45-1c93-47b5-9f67-e6370fb8532f", "last_observed": "2019-08-23T14:24:30.000Z", "modified": "2019-08-23T14:24:30.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjQ6MzAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNDozMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:24:30 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:24:30 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:24:27.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:24:27.000Z", "id": "observed-data--910c3ce6-bb81-4a9d-aa16-63f6a79adfae", "last_observed": "2019-08-23T14:24:27.000Z", "modified": "2019-08-23T14:24:27.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjQ6MjcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNDoyNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:24:27 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:24:27 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:24:24.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:24:24.000Z", "id": "observed-data--d9c12db0-d8f9-4abe-b42c-bd19af184dac", "last_observed": "2019-08-23T14:24:24.000Z", "modified": "2019-08-23T14:24:24.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjQ6MjQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNDoyNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:24:24 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:24:24 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:24:21.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:24:21.000Z", "id": "observed-data--8b6111ea-9ac4-4525-bdbe-15c0ab85a953", "last_observed": "2019-08-23T14:24:21.000Z", "modified": "2019-08-23T14:24:21.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjQ6MjEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNDoyMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:24:21 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:24:21 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:24:17.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:24:17.000Z", "id": "observed-data--eb609c62-0311-409a-9ca0-c223bced720d", "last_observed": "2019-08-23T14:24:17.000Z", "modified": "2019-08-23T14:24:17.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjQ6MTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNDoxNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:24:17 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:24:17 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:24:14.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:24:14.000Z", "id": "observed-data--16b3f2d3-aca8-4056-bbdc-1d8e2c8da04c", "last_observed": "2019-08-23T14:24:14.000Z", "modified": "2019-08-23T14:24:14.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjQ6MTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNDoxNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:24:14 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:24:14 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:24:11.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:24:11.000Z", "id": "observed-data--18ad5d0a-2559-42c0-bbe7-41c565dc0701", "last_observed": "2019-08-23T14:24:11.000Z", "modified": "2019-08-23T14:24:11.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjQ6MTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNDoxMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:24:11 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:24:11 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:24:08.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:24:08.000Z", "id": "observed-data--d681d663-fa33-4d1d-905b-20defb00c42e", "last_observed": "2019-08-23T14:24:08.000Z", "modified": "2019-08-23T14:24:08.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjQ6MDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNDowOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:24:08 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:24:08 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:24:05.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:24:05.000Z", "id": "observed-data--d8c06ed3-9dde-472f-808f-9498789c0687", "last_observed": "2019-08-23T14:24:05.000Z", "modified": "2019-08-23T14:24:05.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjQ6MDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNDowNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:24:05 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:24:05 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:24:02.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:24:02.000Z", "id": "observed-data--e2b46218-26a7-47ed-9080-7696f16dc288", "last_observed": "2019-08-23T14:24:02.000Z", "modified": "2019-08-23T14:24:02.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjQ6MDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyNDowMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:24:02 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:24:02 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:23:59.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:23:59.000Z", "id": "observed-data--6e7548b6-cab3-4f1c-9c69-dcebbc137be1", "last_observed": "2019-08-23T14:23:59.000Z", "modified": "2019-08-23T14:23:59.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjM6NTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMzo1OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:23:59 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:23:59 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:23:55.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:23:55.000Z", "id": "observed-data--8215709c-7781-4b4b-b345-19a22342ca93", "last_observed": "2019-08-23T14:23:55.000Z", "modified": "2019-08-23T14:23:55.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjM6NTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMzo1NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:23:55 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:23:55 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:23:52.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:23:52.000Z", "id": "observed-data--1da8aec8-f319-4eae-a9cc-ecaddb51747d", "last_observed": "2019-08-23T14:23:52.000Z", "modified": "2019-08-23T14:23:52.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjM6NTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMzo1MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:23:52 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:23:52 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:23:49.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:23:49.000Z", "id": "observed-data--592d4816-0e17-4ede-991e-3c2af1cb8458", "last_observed": "2019-08-23T14:23:49.000Z", "modified": "2019-08-23T14:23:49.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjM6NDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMzo0OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:23:49 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:23:49 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:23:46.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:23:46.000Z", "id": "observed-data--3112a033-b636-4a25-b910-3fe79b3872d5", "last_observed": "2019-08-23T14:23:46.000Z", "modified": "2019-08-23T14:23:46.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjM6NDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMzo0NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:23:46 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:23:46 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:23:43.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:23:43.000Z", "id": "observed-data--c547e808-816e-4385-a2df-fe1bc54eb3ca", "last_observed": "2019-08-23T14:23:43.000Z", "modified": "2019-08-23T14:23:43.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjM6NDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMzo0MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:23:43 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:23:43 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:23:40.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:23:40.000Z", "id": "observed-data--feb20dc9-d917-4564-b3d6-a5af39daf953", "last_observed": "2019-08-23T14:23:40.000Z", "modified": "2019-08-23T14:23:40.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjM6NDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMzo0MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:23:40 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:23:40 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:23:37.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:23:37.000Z", "id": "observed-data--59285f27-af01-4641-ad96-39bda1937edc", "last_observed": "2019-08-23T14:23:37.000Z", "modified": "2019-08-23T14:23:37.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjM6MzcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMzozNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:23:37 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:23:37 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:23:33.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:23:33.000Z", "id": "observed-data--f58999ad-7baf-4581-a31a-fd1c0e417574", "last_observed": "2019-08-23T14:23:33.000Z", "modified": "2019-08-23T14:23:33.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjM6MzMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMzozMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:23:33 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:23:33 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:23:30.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:23:30.000Z", "id": "observed-data--44a180ee-9a82-4c67-acd7-09cd66bc03e5", "last_observed": "2019-08-23T14:23:30.000Z", "modified": "2019-08-23T14:23:30.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjM6MzAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMzozMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:23:30 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:23:30 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:23:27.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:23:27.000Z", "id": "observed-data--cffb4ab6-8aaf-4e41-ad21-300479c1a45e", "last_observed": "2019-08-23T14:23:27.000Z", "modified": "2019-08-23T14:23:27.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjM6MjcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMzoyNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:23:27 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:23:27 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:23:24.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:23:24.000Z", "id": "observed-data--2909814e-d876-4841-9ed4-c6aec7955caa", "last_observed": "2019-08-23T14:23:24.000Z", "modified": "2019-08-23T14:23:24.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjM6MjQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMzoyNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:23:24 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:23:24 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:23:21.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:23:21.000Z", "id": "observed-data--1c805a31-c971-4640-bfbc-909ba16dd8dc", "last_observed": "2019-08-23T14:23:21.000Z", "modified": "2019-08-23T14:23:21.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjM6MjEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMzoyMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:23:21 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:23:21 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:23:18.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:23:18.000Z", "id": "observed-data--eab17912-2ffe-4171-92fe-210f17f406e1", "last_observed": "2019-08-23T14:23:18.000Z", "modified": "2019-08-23T14:23:18.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjM6MTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMzoxOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:23:18 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:23:18 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:23:15.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:23:15.000Z", "id": "observed-data--a10157db-317c-42e4-823c-49bdea57731e", "last_observed": "2019-08-23T14:23:15.000Z", "modified": "2019-08-23T14:23:15.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjM6MTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMzoxNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:23:15 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:23:15 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:23:11.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:23:11.000Z", "id": "observed-data--3834f551-8795-47c8-8005-d240f5f2b321", "last_observed": "2019-08-23T14:23:11.000Z", "modified": "2019-08-23T14:23:11.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjM6MTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMzoxMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:23:11 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:23:11 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:23:08.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:23:08.000Z", "id": "observed-data--9895f58d-09af-4588-908a-db0036e0f02c", "last_observed": "2019-08-23T14:23:08.000Z", "modified": "2019-08-23T14:23:08.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjM6MDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMzowOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:23:08 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:23:08 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:23:05.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:23:05.000Z", "id": "observed-data--794b6514-b9ca-4a07-93b1-2a5e530d8670", "last_observed": "2019-08-23T14:23:05.000Z", "modified": "2019-08-23T14:23:05.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjM6MDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMzowNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:23:05 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:23:05 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:23:02.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:23:02.000Z", "id": "observed-data--dc1fdead-c4d2-422a-a574-d62ea26e0a23", "last_observed": "2019-08-23T14:23:02.000Z", "modified": "2019-08-23T14:23:02.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjM6MDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMzowMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:23:02 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:23:02 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:22:59.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:22:59.000Z", "id": "observed-data--38aa0e7a-9df9-4eec-ad2e-99aa4a07c54f", "last_observed": "2019-08-23T14:22:59.000Z", "modified": "2019-08-23T14:22:59.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjI6NTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMjo1OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:22:59 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:22:59 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:22:56.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:22:56.000Z", "id": "observed-data--ee19234b-fdc9-4c22-8371-1a34bc7a7e0b", "last_observed": "2019-08-23T14:22:56.000Z", "modified": "2019-08-23T14:22:56.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjI6NTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMjo1NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:22:56 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:22:56 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:22:52.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:22:52.000Z", "id": "observed-data--69847819-b316-407c-828a-57d93be8de4e", "last_observed": "2019-08-23T14:22:52.000Z", "modified": "2019-08-23T14:22:52.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjI6NTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMjo1MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:22:52 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:22:52 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:22:49.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:22:49.000Z", "id": "observed-data--f24645fb-5b60-48ec-8905-b8e7fcc1352c", "last_observed": "2019-08-23T14:22:49.000Z", "modified": "2019-08-23T14:22:49.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjI6NDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMjo0OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:22:49 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:22:49 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:22:46.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:22:46.000Z", "id": "observed-data--adfb3633-090f-4225-bd4b-f82bd9fc02f6", "last_observed": "2019-08-23T14:22:46.000Z", "modified": "2019-08-23T14:22:46.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjI6NDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMjo0NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:22:46 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:22:46 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:22:43.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:22:43.000Z", "id": "observed-data--6c6ffe02-8892-4733-aa1a-c4c35645efa8", "last_observed": "2019-08-23T14:22:43.000Z", "modified": "2019-08-23T14:22:43.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjI6NDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMjo0MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:22:43 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:22:43 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:22:40.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:22:40.000Z", "id": "observed-data--6f8ac9e5-eab9-4ca1-a9a0-62dd33800d8f", "last_observed": "2019-08-23T14:22:40.000Z", "modified": "2019-08-23T14:22:40.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjI6NDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMjo0MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:22:40 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:22:40 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:22:37.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:22:37.000Z", "id": "observed-data--2981346c-e2f5-486f-93ad-26395017715e", "last_observed": "2019-08-23T14:22:37.000Z", "modified": "2019-08-23T14:22:37.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjI6MzcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMjozNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:22:37 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:22:37 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:22:34.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:22:34.000Z", "id": "observed-data--e6280367-e708-4e54-848d-4058e3e0054f", "last_observed": "2019-08-23T14:22:34.000Z", "modified": "2019-08-23T14:22:34.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjI6MzQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMjozNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:22:34 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:22:34 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:22:30.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:22:30.000Z", "id": "observed-data--05759ab5-5b75-4483-8a9c-563917cb0f00", "last_observed": "2019-08-23T14:22:30.000Z", "modified": "2019-08-23T14:22:30.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjI6MzAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMjozMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:22:30 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:22:30 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:22:27.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:22:27.000Z", "id": "observed-data--fc2f57f8-c6cc-4b43-9cec-8aaf6e1f1584", "last_observed": "2019-08-23T14:22:27.000Z", "modified": "2019-08-23T14:22:27.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjI6MjcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMjoyNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:22:27 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:22:27 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:22:24.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:22:24.000Z", "id": "observed-data--a75d9090-b808-4131-921e-1154ccbd145a", "last_observed": "2019-08-23T14:22:24.000Z", "modified": "2019-08-23T14:22:24.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjI6MjQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMjoyNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:22:24 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:22:24 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:22:21.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:22:21.000Z", "id": "observed-data--16964186-f254-4910-a6dd-e90f06db4a2d", "last_observed": "2019-08-23T14:22:21.000Z", "modified": "2019-08-23T14:22:21.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjI6MjEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMjoyMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:22:21 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:22:21 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:22:18.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:22:18.000Z", "id": "observed-data--3fc7eb62-7624-4777-bc85-c7d409555a94", "last_observed": "2019-08-23T14:22:18.000Z", "modified": "2019-08-23T14:22:18.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjI6MTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMjoxOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:22:18 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:22:18 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:22:15.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:22:15.000Z", "id": "observed-data--4be2ea82-537c-47b9-b402-e4a60da36e6b", "last_observed": "2019-08-23T14:22:15.000Z", "modified": "2019-08-23T14:22:15.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjI6MTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMjoxNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:22:15 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:22:15 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:22:12.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:22:12.000Z", "id": "observed-data--e2f1b2dd-b40b-4df5-8d34-3e73bcff7bcf", "last_observed": "2019-08-23T14:22:12.000Z", "modified": "2019-08-23T14:22:12.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjI6MTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMjoxMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:22:12 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:22:12 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:22:08.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:22:08.000Z", "id": "observed-data--65b6f1cc-746b-4ecf-a9d7-777c8b1c4096", "last_observed": "2019-08-23T14:22:08.000Z", "modified": "2019-08-23T14:22:08.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjI6MDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMjowOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:22:08 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:22:08 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:22:05.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:22:05.000Z", "id": "observed-data--9455c235-1264-48c3-8cb6-11ca79e80eb2", "last_observed": "2019-08-23T14:22:05.000Z", "modified": "2019-08-23T14:22:05.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjI6MDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMjowNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:22:05 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:22:05 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:22:02.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:22:02.000Z", "id": "observed-data--7fbebef8-1c23-4071-851f-e394b078d046", "last_observed": "2019-08-23T14:22:02.000Z", "modified": "2019-08-23T14:22:02.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjI6MDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMjowMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:22:02 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:22:02 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:21:59.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:21:59.000Z", "id": "observed-data--69bdc8a7-a153-49b8-a66d-59eba0b8c494", "last_observed": "2019-08-23T14:21:59.000Z", "modified": "2019-08-23T14:21:59.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjE6NTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMTo1OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:21:59 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:21:59 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:21:56.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:21:56.000Z", "id": "observed-data--28e22d18-ddf6-4ba4-8766-31cd067830fa", "last_observed": "2019-08-23T14:21:56.000Z", "modified": "2019-08-23T14:21:56.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjE6NTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMTo1NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:21:56 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:21:56 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:21:53.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:21:53.000Z", "id": "observed-data--cde61860-b6f2-4e4c-b212-96ecd929fe4a", "last_observed": "2019-08-23T14:21:53.000Z", "modified": "2019-08-23T14:21:53.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjE6NTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMTo1MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:21:53 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:21:53 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:21:50.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:21:50.000Z", "id": "observed-data--91b4e6f3-3353-455e-afb7-a8b8d172a602", "last_observed": "2019-08-23T14:21:50.000Z", "modified": "2019-08-23T14:21:50.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjE6NTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMTo1MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:21:50 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:21:50 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:21:46.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:21:46.000Z", "id": "observed-data--e783dfe8-3392-43dd-bcc3-7705560ed393", "last_observed": "2019-08-23T14:21:46.000Z", "modified": "2019-08-23T14:21:46.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjE6NDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMTo0NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:21:46 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:21:46 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:21:43.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:21:43.000Z", "id": "observed-data--70f8b136-b93d-4a25-a3f5-77eebc48707e", "last_observed": "2019-08-23T14:21:43.000Z", "modified": "2019-08-23T14:21:43.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjE6NDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMTo0MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:21:43 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:21:43 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:21:40.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:21:40.000Z", "id": "observed-data--6a7fbe48-9f8d-4d5d-ba78-27d59821476b", "last_observed": "2019-08-23T14:21:40.000Z", "modified": "2019-08-23T14:21:40.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjE6NDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMTo0MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:21:40 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:21:40 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:21:37.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:21:37.000Z", "id": "observed-data--cd8607b9-9321-4df0-896c-c9ce4c4f4b37", "last_observed": "2019-08-23T14:21:37.000Z", "modified": "2019-08-23T14:21:37.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjE6MzcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMTozNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:21:37 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:21:37 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:21:34.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:21:34.000Z", "id": "observed-data--b1170f0d-5d11-474b-b8f3-cccaf1c0ad02", "last_observed": "2019-08-23T14:21:34.000Z", "modified": "2019-08-23T14:21:34.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjE6MzQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMTozNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:21:34 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:21:34 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:21:31.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:21:31.000Z", "id": "observed-data--0c30b357-956a-4176-a2e3-a140f8e43c0e", "last_observed": "2019-08-23T14:21:31.000Z", "modified": "2019-08-23T14:21:31.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjE6MzEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMTozMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:21:31 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:21:31 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:21:28.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:21:28.000Z", "id": "observed-data--f75e7030-badd-4bb5-9ee0-c3690dc0f95c", "last_observed": "2019-08-23T14:21:28.000Z", "modified": "2019-08-23T14:21:28.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjE6MjggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMToyOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:21:28 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:21:28 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:21:24.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:21:24.000Z", "id": "observed-data--c9990114-26d0-402c-8266-2626f56858af", "last_observed": "2019-08-23T14:21:24.000Z", "modified": "2019-08-23T14:21:24.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjE6MjQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMToyNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:21:24 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:21:24 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:21:21.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:21:21.000Z", "id": "observed-data--dfbdd8ee-98f0-4e8b-aeb9-580f247cfd72", "last_observed": "2019-08-23T14:21:21.000Z", "modified": "2019-08-23T14:21:21.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjE6MjEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMToyMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:21:21 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:21:21 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:21:18.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:21:18.000Z", "id": "observed-data--8e9a4d92-1eb6-4647-87c3-378f41936499", "last_observed": "2019-08-23T14:21:18.000Z", "modified": "2019-08-23T14:21:18.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjE6MTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMToxOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:21:18 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:21:18 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:21:15.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:21:15.000Z", "id": "observed-data--63bba8ca-28b0-46b9-b682-9bde1eaedd06", "last_observed": "2019-08-23T14:21:15.000Z", "modified": "2019-08-23T14:21:15.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjE6MTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMToxNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:21:15 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:21:15 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:21:12.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:21:12.000Z", "id": "observed-data--20b3fbbe-755c-433c-9825-624df0ae14e8", "last_observed": "2019-08-23T14:21:12.000Z", "modified": "2019-08-23T14:21:12.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjE6MTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMToxMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:21:12 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:21:12 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:21:09.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:21:09.000Z", "id": "observed-data--6d6f9063-d2a7-4c50-9ae0-221600b9a3b4", "last_observed": "2019-08-23T14:21:09.000Z", "modified": "2019-08-23T14:21:09.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjE6MDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMTowOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:21:09 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:21:09 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:21:05.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:21:05.000Z", "id": "observed-data--340221f3-1d75-494b-baef-d7e6af9e85c8", "last_observed": "2019-08-23T14:21:05.000Z", "modified": "2019-08-23T14:21:05.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjE6MDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMTowNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:21:05 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:21:05 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:21:02.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:21:02.000Z", "id": "observed-data--ffb7b98a-4494-4b87-a5b6-3fc9115197e4", "last_observed": "2019-08-23T14:21:02.000Z", "modified": "2019-08-23T14:21:02.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjE6MDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMTowMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:21:02 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:21:02 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:20:59.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:20:59.000Z", "id": "observed-data--e7882f22-555e-49e9-b0ca-af2eb41d631e", "last_observed": "2019-08-23T14:20:59.000Z", "modified": "2019-08-23T14:20:59.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjA6NTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMDo1OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:20:59 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:20:59 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:20:56.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:20:56.000Z", "id": "observed-data--385e97ad-7cc5-47e9-bd7a-e94df933b868", "last_observed": "2019-08-23T14:20:56.000Z", "modified": "2019-08-23T14:20:56.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjA6NTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMDo1NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:20:56 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:20:56 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:20:53.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:20:53.000Z", "id": "observed-data--a45dd9db-1ba4-42d4-9bd3-e961dd087f8c", "last_observed": "2019-08-23T14:20:53.000Z", "modified": "2019-08-23T14:20:53.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjA6NTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMDo1MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:20:53 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:20:53 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:20:50.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:20:50.000Z", "id": "observed-data--1105d9a5-9b4d-4c49-893f-cc677687f771", "last_observed": "2019-08-23T14:20:50.000Z", "modified": "2019-08-23T14:20:50.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjA6NTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMDo1MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:20:50 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:20:50 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:20:47.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:20:47.000Z", "id": "observed-data--fc410efc-dd2e-4585-a378-6a9ae4cf243b", "last_observed": "2019-08-23T14:20:47.000Z", "modified": "2019-08-23T14:20:47.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjA6NDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMDo0NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:20:47 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:20:47 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:20:43.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:20:43.000Z", "id": "observed-data--33bd43ea-8662-45bb-a646-1a775f20d657", "last_observed": "2019-08-23T14:20:43.000Z", "modified": "2019-08-23T14:20:43.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjA6NDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMDo0MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:20:43 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:20:43 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:20:40.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:20:40.000Z", "id": "observed-data--338eec3d-53d1-440b-91c1-a57739443ee9", "last_observed": "2019-08-23T14:20:40.000Z", "modified": "2019-08-23T14:20:40.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjA6NDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMDo0MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:20:40 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:20:40 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:20:37.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:20:37.000Z", "id": "observed-data--ece94499-2df5-4b1f-b8b3-23003a393b68", "last_observed": "2019-08-23T14:20:37.000Z", "modified": "2019-08-23T14:20:37.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjA6MzcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMDozNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:20:37 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:20:37 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:20:34.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:20:34.000Z", "id": "observed-data--e43b93b9-bc31-44f4-bb40-251aee9f0b5c", "last_observed": "2019-08-23T14:20:34.000Z", "modified": "2019-08-23T14:20:34.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjA6MzQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMDozNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:20:34 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:20:34 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:20:31.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:20:31.000Z", "id": "observed-data--2b154eb4-c7b8-4981-963f-c3063e3464c0", "last_observed": "2019-08-23T14:20:31.000Z", "modified": "2019-08-23T14:20:31.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjA6MzEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMDozMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:20:31 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:20:31 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:20:28.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:20:28.000Z", "id": "observed-data--85bd9f61-5780-4d0f-b9bb-f0cb3e78d42e", "last_observed": "2019-08-23T14:20:28.000Z", "modified": "2019-08-23T14:20:28.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjA6MjggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMDoyOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:20:28 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:20:28 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:20:25.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:20:25.000Z", "id": "observed-data--9c905b5d-2f46-4724-9f5a-a2ebcf06ab81", "last_observed": "2019-08-23T14:20:25.000Z", "modified": "2019-08-23T14:20:25.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjA6MjUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMDoyNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:20:25 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:20:25 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:20:21.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:20:21.000Z", "id": "observed-data--2f0c1603-0559-4ef0-95b7-93810b25a553", "last_observed": "2019-08-23T14:20:21.000Z", "modified": "2019-08-23T14:20:21.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjA6MjEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMDoyMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:20:21 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:20:21 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:20:18.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:20:18.000Z", "id": "observed-data--ffb4b3b4-2011-4d18-b0ef-991e6b498e9b", "last_observed": "2019-08-23T14:20:18.000Z", "modified": "2019-08-23T14:20:18.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjA6MTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMDoxOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:20:18 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:20:18 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:20:15.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:20:15.000Z", "id": "observed-data--4dba05d1-8576-441c-9c6e-aed6abf6e0e0", "last_observed": "2019-08-23T14:20:15.000Z", "modified": "2019-08-23T14:20:15.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjA6MTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMDoxNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:20:15 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:20:15 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:20:12.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:20:12.000Z", "id": "observed-data--086fe86e-72cb-4fe0-b123-7bffbb1e844a", "last_observed": "2019-08-23T14:20:12.000Z", "modified": "2019-08-23T14:20:12.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjA6MTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMDoxMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:20:12 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:20:12 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:20:09.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:20:09.000Z", "id": "observed-data--5d639e04-9f49-40ef-863c-217bcbcb4ed9", "last_observed": "2019-08-23T14:20:09.000Z", "modified": "2019-08-23T14:20:09.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjA6MDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMDowOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:20:09 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:20:09 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:20:06.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:20:06.000Z", "id": "observed-data--9e0b42bf-885f-49ff-a73e-b0889e40c59f", "last_observed": "2019-08-23T14:20:06.000Z", "modified": "2019-08-23T14:20:06.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjA6MDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMDowNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:20:06 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:20:06 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:20:03.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:20:03.000Z", "id": "observed-data--e66b676f-1162-4a79-a9cf-72e5fa0439c1", "last_observed": "2019-08-23T14:20:03.000Z", "modified": "2019-08-23T14:20:03.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MjA6MDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoyMDowMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:20:03 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:20:03 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:19:59.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:19:59.000Z", "id": "observed-data--fe0a7451-1dcd-4426-a856-b55cdd041cba", "last_observed": "2019-08-23T14:19:59.000Z", "modified": "2019-08-23T14:19:59.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTk6NTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxOTo1OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:19:59 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:19:59 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:19:56.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:19:56.000Z", "id": "observed-data--0e1e277f-e694-483e-aabd-bb3ce3e29b23", "last_observed": "2019-08-23T14:19:56.000Z", "modified": "2019-08-23T14:19:56.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTk6NTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxOTo1NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:19:56 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:19:56 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:19:53.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:19:53.000Z", "id": "observed-data--c1d4352c-c972-4ea8-ac68-d1f160d0be8e", "last_observed": "2019-08-23T14:19:53.000Z", "modified": "2019-08-23T14:19:53.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTk6NTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxOTo1MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:19:53 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:19:53 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:19:50.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:19:50.000Z", "id": "observed-data--0343cfb4-2cb3-4e53-80bc-988b496e9543", "last_observed": "2019-08-23T14:19:50.000Z", "modified": "2019-08-23T14:19:50.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTk6NTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxOTo1MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:19:50 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:19:50 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:19:47.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:19:47.000Z", "id": "observed-data--b29f1e81-6870-4f4b-87b6-a4291a704241", "last_observed": "2019-08-23T14:19:47.000Z", "modified": "2019-08-23T14:19:47.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTk6NDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxOTo0NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:19:47 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:19:47 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:19:44.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:19:44.000Z", "id": "observed-data--13445bb3-daf0-4d00-bc9f-a2df563b30b6", "last_observed": "2019-08-23T14:19:44.000Z", "modified": "2019-08-23T14:19:44.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTk6NDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxOTo0NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:19:44 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:19:44 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:19:40.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:19:40.000Z", "id": "observed-data--fe9fc185-46f4-489b-adf8-83b221edb177", "last_observed": "2019-08-23T14:19:40.000Z", "modified": "2019-08-23T14:19:40.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTk6NDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxOTo0MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:19:40 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:19:40 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:19:37.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:19:37.000Z", "id": "observed-data--da230828-2e8f-48ce-a510-3c69a376a970", "last_observed": "2019-08-23T14:19:37.000Z", "modified": "2019-08-23T14:19:37.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTk6MzcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxOTozNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:19:37 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:19:37 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:19:34.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:19:34.000Z", "id": "observed-data--1a48cee1-5ae4-486d-8f12-06afcfd7959f", "last_observed": "2019-08-23T14:19:34.000Z", "modified": "2019-08-23T14:19:34.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTk6MzQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxOTozNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:19:34 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:19:34 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:19:31.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:19:31.000Z", "id": "observed-data--50348b57-6fcf-4f03-918e-e8155f68ff6e", "last_observed": "2019-08-23T14:19:31.000Z", "modified": "2019-08-23T14:19:31.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTk6MzEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxOTozMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:19:31 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:19:31 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:19:28.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:19:28.000Z", "id": "observed-data--71b64785-9a05-4a34-b097-186c9d970ded", "last_observed": "2019-08-23T14:19:28.000Z", "modified": "2019-08-23T14:19:28.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTk6MjggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxOToyOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:19:28 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:19:28 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:19:25.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:19:25.000Z", "id": "observed-data--e7caea11-8f6b-444a-ad58-3af81c21a2fa", "last_observed": "2019-08-23T14:19:25.000Z", "modified": "2019-08-23T14:19:25.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTk6MjUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxOToyNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:19:25 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:19:25 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:19:22.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:19:22.000Z", "id": "observed-data--0dccf104-d588-41ed-b483-b7eda40f7950", "last_observed": "2019-08-23T14:19:22.000Z", "modified": "2019-08-23T14:19:22.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTk6MjIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxOToyMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:19:22 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:19:22 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:19:18.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:19:18.000Z", "id": "observed-data--fe242aa4-e497-40fb-bd73-723c43548901", "last_observed": "2019-08-23T14:19:18.000Z", "modified": "2019-08-23T14:19:18.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTk6MTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxOToxOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:19:18 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:19:18 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:19:15.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:19:15.000Z", "id": "observed-data--7af380dd-ecf6-491a-847b-3d774a7c5640", "last_observed": "2019-08-23T14:19:15.000Z", "modified": "2019-08-23T14:19:15.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTk6MTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxOToxNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:19:15 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:19:15 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:19:12.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:19:12.000Z", "id": "observed-data--a13b7574-b460-4b26-99e3-9a8b98027933", "last_observed": "2019-08-23T14:19:12.000Z", "modified": "2019-08-23T14:19:12.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTk6MTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxOToxMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:19:12 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:19:12 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:19:09.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:19:09.000Z", "id": "observed-data--525730c4-1eb9-4933-8d39-32508d045aff", "last_observed": "2019-08-23T14:19:09.000Z", "modified": "2019-08-23T14:19:09.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTk6MDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxOTowOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:19:09 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:19:09 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:19:06.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:19:06.000Z", "id": "observed-data--64a0a46e-9d47-47ff-8175-a267cff313a0", "last_observed": "2019-08-23T14:19:06.000Z", "modified": "2019-08-23T14:19:06.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTk6MDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxOTowNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:19:06 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:19:06 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:19:03.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:19:03.000Z", "id": "observed-data--4ec75394-6301-47b1-9f9d-8315c821fd7a", "last_observed": "2019-08-23T14:19:03.000Z", "modified": "2019-08-23T14:19:03.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTk6MDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxOTowMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:19:03 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:19:03 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:19:00.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:19:00.000Z", "id": "observed-data--ee7b7d67-610f-4150-86b1-0366ab55429f", "last_observed": "2019-08-23T14:19:00.000Z", "modified": "2019-08-23T14:19:00.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTk6MDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxOTowMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:19:00 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:19:00 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:18:56.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:18:56.000Z", "id": "observed-data--f15ea126-c34a-4ff9-a3d4-f2bd54710c5e", "last_observed": "2019-08-23T14:18:56.000Z", "modified": "2019-08-23T14:18:56.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTg6NTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxODo1NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:18:56 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:18:56 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:18:53.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:18:53.000Z", "id": "observed-data--01e25f12-6c10-40e9-8869-85439eb6af15", "last_observed": "2019-08-23T14:18:53.000Z", "modified": "2019-08-23T14:18:53.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTg6NTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxODo1MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:18:53 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:18:53 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:18:50.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:18:50.000Z", "id": "observed-data--08685a10-be3f-4539-9491-ee0ef838b603", "last_observed": "2019-08-23T14:18:50.000Z", "modified": "2019-08-23T14:18:50.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTg6NTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxODo1MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:18:50 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:18:50 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:18:47.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:18:47.000Z", "id": "observed-data--d82d68d5-c554-413a-af25-68d14365c521", "last_observed": "2019-08-23T14:18:47.000Z", "modified": "2019-08-23T14:18:47.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTg6NDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxODo0NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:18:47 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:18:47 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:18:44.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:18:44.000Z", "id": "observed-data--505446de-5432-4d1a-b249-b84f7e02e56d", "last_observed": "2019-08-23T14:18:44.000Z", "modified": "2019-08-23T14:18:44.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTg6NDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxODo0NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:18:44 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:18:44 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:18:41.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:18:41.000Z", "id": "observed-data--790c9e3e-bec3-44f2-bad0-94e6254190d8", "last_observed": "2019-08-23T14:18:41.000Z", "modified": "2019-08-23T14:18:41.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTg6NDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxODo0MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:18:41 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:18:41 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:18:38.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:18:38.000Z", "id": "observed-data--5bbef51c-6928-4780-a47d-88f4043508a0", "last_observed": "2019-08-23T14:18:38.000Z", "modified": "2019-08-23T14:18:38.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTg6MzggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxODozOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:18:38 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:18:38 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:18:34.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:18:34.000Z", "id": "observed-data--7c717f39-ae48-4481-85a3-ad877d7051e5", "last_observed": "2019-08-23T14:18:34.000Z", "modified": "2019-08-23T14:18:34.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTg6MzQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxODozNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:18:34 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:18:34 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:18:31.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:18:31.000Z", "id": "observed-data--c51087e5-3a2e-4f04-9738-b7898289b43b", "last_observed": "2019-08-23T14:18:31.000Z", "modified": "2019-08-23T14:18:31.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTg6MzEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxODozMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:18:31 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:18:31 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:18:28.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:18:28.000Z", "id": "observed-data--f5b15631-d84d-46d1-aa2a-f11af9f42615", "last_observed": "2019-08-23T14:18:28.000Z", "modified": "2019-08-23T14:18:28.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTg6MjggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxODoyOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:18:28 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:18:28 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:18:25.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:18:25.000Z", "id": "observed-data--2412f2aa-cf5b-4418-95b2-d5fac605e71a", "last_observed": "2019-08-23T14:18:25.000Z", "modified": "2019-08-23T14:18:25.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTg6MjUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxODoyNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:18:25 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:18:25 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:18:22.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:18:22.000Z", "id": "observed-data--7cffa206-83ee-4bb7-94f7-534ca2f7ac64", "last_observed": "2019-08-23T14:18:22.000Z", "modified": "2019-08-23T14:18:22.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTg6MjIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxODoyMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:18:22 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:18:22 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:18:19.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:18:19.000Z", "id": "observed-data--31ba7bf9-c4bf-4a09-9120-260f70deae06", "last_observed": "2019-08-23T14:18:19.000Z", "modified": "2019-08-23T14:18:19.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTg6MTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxODoxOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:18:19 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:18:19 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:18:15.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:18:15.000Z", "id": "observed-data--5cfa263a-c8a6-48e6-a200-8356a95c9a6d", "last_observed": "2019-08-23T14:18:15.000Z", "modified": "2019-08-23T14:18:15.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTg6MTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxODoxNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:18:15 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:18:15 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:18:12.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:18:12.000Z", "id": "observed-data--07f401d0-e568-4de0-ba85-e39dca6d1c85", "last_observed": "2019-08-23T14:18:12.000Z", "modified": "2019-08-23T14:18:12.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTg6MTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxODoxMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:18:12 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:18:12 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:18:09.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:18:09.000Z", "id": "observed-data--003d6f74-2231-465c-a18c-479caf3f55ae", "last_observed": "2019-08-23T14:18:09.000Z", "modified": "2019-08-23T14:18:09.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTg6MDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxODowOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:18:09 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:18:09 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:18:06.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:18:06.000Z", "id": "observed-data--597ad092-b060-4e22-86b6-8cf80cc91b1d", "last_observed": "2019-08-23T14:18:06.000Z", "modified": "2019-08-23T14:18:06.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTg6MDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxODowNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:18:06 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:18:06 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:18:03.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:18:03.000Z", "id": "observed-data--2c07367e-6477-4718-afcc-7c9b16fdd381", "last_observed": "2019-08-23T14:18:03.000Z", "modified": "2019-08-23T14:18:03.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTg6MDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxODowMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:18:03 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:18:03 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:18:00.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:18:00.000Z", "id": "observed-data--cea0d83f-3201-465c-b7f9-53431af026a5", "last_observed": "2019-08-23T14:18:00.000Z", "modified": "2019-08-23T14:18:00.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTg6MDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxODowMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:18:00 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:18:00 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:17:57.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:17:57.000Z", "id": "observed-data--6ef928da-d7a5-493e-810f-940fda36b41d", "last_observed": "2019-08-23T14:17:57.000Z", "modified": "2019-08-23T14:17:57.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTc6NTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNzo1NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:17:57 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:17:57 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:17:53.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:17:53.000Z", "id": "observed-data--fabfde63-491d-4d9e-a1a4-78babbbf206e", "last_observed": "2019-08-23T14:17:53.000Z", "modified": "2019-08-23T14:17:53.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTc6NTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNzo1MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:17:53 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:17:53 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:17:50.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:17:50.000Z", "id": "observed-data--4529f52c-5473-4905-b77d-a86ec803da8e", "last_observed": "2019-08-23T14:17:50.000Z", "modified": "2019-08-23T14:17:50.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTc6NTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNzo1MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:17:50 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:17:50 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:17:47.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:17:47.000Z", "id": "observed-data--5e18fa63-a50b-45ca-8eec-cccfa152d4b0", "last_observed": "2019-08-23T14:17:47.000Z", "modified": "2019-08-23T14:17:47.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTc6NDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNzo0NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:17:47 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:17:47 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:17:44.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:17:44.000Z", "id": "observed-data--ad49f0ca-8433-4495-b58c-9e014ecd3800", "last_observed": "2019-08-23T14:17:44.000Z", "modified": "2019-08-23T14:17:44.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTc6NDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNzo0NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:17:44 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:17:44 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:17:41.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:17:41.000Z", "id": "observed-data--bf8e187f-896d-430c-a998-4577f46538df", "last_observed": "2019-08-23T14:17:41.000Z", "modified": "2019-08-23T14:17:41.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTc6NDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNzo0MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:17:41 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:17:41 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:17:38.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:17:38.000Z", "id": "observed-data--6d0b5bc3-ad83-4fa5-8d6e-849c602e5d50", "last_observed": "2019-08-23T14:17:38.000Z", "modified": "2019-08-23T14:17:38.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTc6MzggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNzozOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:17:38 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:17:38 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:17:35.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:17:35.000Z", "id": "observed-data--4174743f-288b-460c-8a09-fa9f146b91c8", "last_observed": "2019-08-23T14:17:35.000Z", "modified": "2019-08-23T14:17:35.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTc6MzUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNzozNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:17:35 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:17:35 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:17:31.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:17:31.000Z", "id": "observed-data--be97ba4c-eeda-4d8e-96d4-0b83e0dfb060", "last_observed": "2019-08-23T14:17:31.000Z", "modified": "2019-08-23T14:17:31.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTc6MzEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNzozMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:17:31 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:17:31 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:17:28.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:17:28.000Z", "id": "observed-data--05e32faf-0648-48fa-bb5b-70924c88915f", "last_observed": "2019-08-23T14:17:28.000Z", "modified": "2019-08-23T14:17:28.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTc6MjggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNzoyOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:17:28 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:17:28 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:17:25.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:17:25.000Z", "id": "observed-data--9ef33170-c145-47ff-98cb-d62912446b77", "last_observed": "2019-08-23T14:17:25.000Z", "modified": "2019-08-23T14:17:25.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTc6MjUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNzoyNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:17:25 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:17:25 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:17:22.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:17:22.000Z", "id": "observed-data--1f9d2674-c584-4b78-94f4-efaa661eb985", "last_observed": "2019-08-23T14:17:22.000Z", "modified": "2019-08-23T14:17:22.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTc6MjIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNzoyMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:17:22 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:17:22 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:17:19.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:17:19.000Z", "id": "observed-data--a77750ba-121e-4d77-88a5-c7ea864a04a5", "last_observed": "2019-08-23T14:17:19.000Z", "modified": "2019-08-23T14:17:19.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTc6MTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNzoxOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:17:19 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:17:19 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:17:16.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:17:16.000Z", "id": "observed-data--f102ca06-1484-4696-8024-b4489bf396ce", "last_observed": "2019-08-23T14:17:16.000Z", "modified": "2019-08-23T14:17:16.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTc6MTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNzoxNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:17:16 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:17:16 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:17:13.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:17:13.000Z", "id": "observed-data--b0c6eece-5fde-4c62-85e4-1201cef08e72", "last_observed": "2019-08-23T14:17:13.000Z", "modified": "2019-08-23T14:17:13.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTc6MTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNzoxMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:17:13 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:17:13 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:17:09.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:17:09.000Z", "id": "observed-data--01397af9-0007-42e1-ada4-588e965adf66", "last_observed": "2019-08-23T14:17:09.000Z", "modified": "2019-08-23T14:17:09.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTc6MDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNzowOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:17:09 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:17:09 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:17:06.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:17:06.000Z", "id": "observed-data--3567a36f-9bec-4c3a-a9d4-b83a40d37217", "last_observed": "2019-08-23T14:17:06.000Z", "modified": "2019-08-23T14:17:06.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTc6MDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNzowNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:17:06 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:17:06 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:17:03.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:17:03.000Z", "id": "observed-data--9c7c1b75-5a70-400b-b02d-346d22d040a0", "last_observed": "2019-08-23T14:17:03.000Z", "modified": "2019-08-23T14:17:03.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTc6MDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNzowMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:17:03 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:17:03 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:17:00.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:17:00.000Z", "id": "observed-data--699dd7e5-9233-495c-a5a9-e5fe58ac882e", "last_observed": "2019-08-23T14:17:00.000Z", "modified": "2019-08-23T14:17:00.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTc6MDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNzowMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:17:00 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:17:00 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:16:57.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:16:57.000Z", "id": "observed-data--148fa34f-50ae-4d42-b410-a5b98448aa0f", "last_observed": "2019-08-23T14:16:57.000Z", "modified": "2019-08-23T14:16:57.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTY6NTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNjo1NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:16:57 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:16:57 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:16:54.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:16:54.000Z", "id": "observed-data--647e96af-5985-442a-ba57-5877772a9f45", "last_observed": "2019-08-23T14:16:54.000Z", "modified": "2019-08-23T14:16:54.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTY6NTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNjo1NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:16:54 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:16:54 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:16:50.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:16:50.000Z", "id": "observed-data--a75b0ae1-5f96-4c18-b1d6-e473dbe71289", "last_observed": "2019-08-23T14:16:50.000Z", "modified": "2019-08-23T14:16:50.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTY6NTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNjo1MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:16:50 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:16:50 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:16:47.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:16:47.000Z", "id": "observed-data--134345c7-20b6-4604-8d31-308506242d93", "last_observed": "2019-08-23T14:16:47.000Z", "modified": "2019-08-23T14:16:47.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTY6NDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNjo0NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:16:47 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:16:47 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:16:44.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:16:44.000Z", "id": "observed-data--989caabd-6192-4a8f-82ff-764a4b94cce8", "last_observed": "2019-08-23T14:16:44.000Z", "modified": "2019-08-23T14:16:44.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTY6NDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNjo0NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:16:44 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:16:44 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:16:41.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:16:41.000Z", "id": "observed-data--e52999e7-3d18-43f3-adbe-0f5c4caf6600", "last_observed": "2019-08-23T14:16:41.000Z", "modified": "2019-08-23T14:16:41.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTY6NDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNjo0MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:16:41 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:16:41 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:16:38.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:16:38.000Z", "id": "observed-data--1c4baa26-1aa2-4c7e-b646-fed92c832c96", "last_observed": "2019-08-23T14:16:38.000Z", "modified": "2019-08-23T14:16:38.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTY6MzggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNjozOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:16:38 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:16:38 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:16:35.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:16:35.000Z", "id": "observed-data--b71706ca-bd2f-4f5e-8e54-26ae0de87e18", "last_observed": "2019-08-23T14:16:35.000Z", "modified": "2019-08-23T14:16:35.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTY6MzUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNjozNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:16:35 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:16:35 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:16:32.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:16:32.000Z", "id": "observed-data--79890f22-ab12-440b-8c53-eccae7ee4637", "last_observed": "2019-08-23T14:16:32.000Z", "modified": "2019-08-23T14:16:32.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTY6MzIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNjozMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:16:32 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:16:32 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:16:28.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:16:28.000Z", "id": "observed-data--696ed286-c7b8-402b-a704-0bf06cfc472a", "last_observed": "2019-08-23T14:16:28.000Z", "modified": "2019-08-23T14:16:28.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTY6MjggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNjoyOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:16:28 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:16:28 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:16:25.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:16:25.000Z", "id": "observed-data--d7b850f1-ad37-4721-bd8c-745fbf60a549", "last_observed": "2019-08-23T14:16:25.000Z", "modified": "2019-08-23T14:16:25.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTY6MjUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNjoyNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:16:25 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:16:25 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:16:22.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:16:22.000Z", "id": "observed-data--30476134-1677-458d-8d60-3612485aeb02", "last_observed": "2019-08-23T14:16:22.000Z", "modified": "2019-08-23T14:16:22.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTY6MjIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNjoyMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:16:22 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:16:22 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:16:19.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:16:19.000Z", "id": "observed-data--b81043fd-871a-4bd8-9b65-594fc328700a", "last_observed": "2019-08-23T14:16:19.000Z", "modified": "2019-08-23T14:16:19.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTY6MTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNjoxOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:16:19 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:16:19 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:16:16.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:16:16.000Z", "id": "observed-data--9da30f96-6e4f-4b47-ae39-cf77d9fb2af2", "last_observed": "2019-08-23T14:16:16.000Z", "modified": "2019-08-23T14:16:16.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTY6MTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNjoxNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:16:16 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:16:16 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:16:13.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:16:13.000Z", "id": "observed-data--13a87150-8768-4802-af90-a433d7b71ce5", "last_observed": "2019-08-23T14:16:13.000Z", "modified": "2019-08-23T14:16:13.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTY6MTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNjoxMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:16:13 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:16:13 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:16:10.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:16:10.000Z", "id": "observed-data--eb55c307-f3d0-4ef2-b11b-b1a0932b6ef9", "last_observed": "2019-08-23T14:16:10.000Z", "modified": "2019-08-23T14:16:10.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTY6MTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNjoxMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:16:10 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:16:10 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:16:06.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:16:06.000Z", "id": "observed-data--2dae20d0-a672-4db4-8139-65c7277c1aa1", "last_observed": "2019-08-23T14:16:06.000Z", "modified": "2019-08-23T14:16:06.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTY6MDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNjowNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:16:06 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:16:06 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:16:03.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:16:03.000Z", "id": "observed-data--29e579ef-fc32-4b56-8fdc-a10417a442d5", "last_observed": "2019-08-23T14:16:03.000Z", "modified": "2019-08-23T14:16:03.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTY6MDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNjowMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:16:03 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:16:03 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:16:00.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:16:00.000Z", "id": "observed-data--5de6a48b-c9e7-40f4-8642-c433fe7fc127", "last_observed": "2019-08-23T14:16:00.000Z", "modified": "2019-08-23T14:16:00.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTY6MDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNjowMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:16:00 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:16:00 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:15:57.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:15:57.000Z", "id": "observed-data--500282cb-a139-40f2-8f2e-1915cccbca8a", "last_observed": "2019-08-23T14:15:57.000Z", "modified": "2019-08-23T14:15:57.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTU6NTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNTo1NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:15:57 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:15:57 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:15:54.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:15:54.000Z", "id": "observed-data--6d855417-4fe1-4a66-b6fe-323a577da54e", "last_observed": "2019-08-23T14:15:54.000Z", "modified": "2019-08-23T14:15:54.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTU6NTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNTo1NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:15:54 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:15:54 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:15:51.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:15:51.000Z", "id": "observed-data--9292a3bd-52bb-45b3-9a5b-82c5f1765111", "last_observed": "2019-08-23T14:15:51.000Z", "modified": "2019-08-23T14:15:51.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTU6NTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNTo1MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:15:51 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:15:51 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:15:47.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:15:47.000Z", "id": "observed-data--7f45a909-4b33-496f-bcf4-b69d0d70b846", "last_observed": "2019-08-23T14:15:47.000Z", "modified": "2019-08-23T14:15:47.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTU6NDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNTo0NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:15:47 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:15:47 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:15:44.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:15:44.000Z", "id": "observed-data--ec7566e3-6d0f-463c-ba9e-03a2a7141f0c", "last_observed": "2019-08-23T14:15:44.000Z", "modified": "2019-08-23T14:15:44.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTU6NDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNTo0NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:15:44 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:15:44 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:15:41.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:15:41.000Z", "id": "observed-data--af15163d-dd73-4284-b749-7f7bc19bee57", "last_observed": "2019-08-23T14:15:41.000Z", "modified": "2019-08-23T14:15:41.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTU6NDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNTo0MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:15:41 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:15:41 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:15:38.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:15:38.000Z", "id": "observed-data--c0b227f9-63ea-4176-84bb-b6fc9d0edff4", "last_observed": "2019-08-23T14:15:38.000Z", "modified": "2019-08-23T14:15:38.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTU6MzggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNTozOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:15:38 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:15:38 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:15:35.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:15:35.000Z", "id": "observed-data--27022ddb-080c-4785-ac1e-10d84a55aac6", "last_observed": "2019-08-23T14:15:35.000Z", "modified": "2019-08-23T14:15:35.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTU6MzUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNTozNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:15:35 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:15:35 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:15:32.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:15:32.000Z", "id": "observed-data--efb260d9-5dca-47cc-a8e7-26dc848c1580", "last_observed": "2019-08-23T14:15:32.000Z", "modified": "2019-08-23T14:15:32.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTU6MzIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNTozMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:15:32 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:15:32 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:15:29.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:15:29.000Z", "id": "observed-data--e2e97093-59dd-4b8a-8f6c-d9145ef039c0", "last_observed": "2019-08-23T14:15:29.000Z", "modified": "2019-08-23T14:15:29.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTU6MjkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNToyOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:15:29 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:15:29 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:15:25.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:15:25.000Z", "id": "observed-data--d63ca100-5589-447e-9249-288eb6edfc7e", "last_observed": "2019-08-23T14:15:25.000Z", "modified": "2019-08-23T14:15:25.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTU6MjUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNToyNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:15:25 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:15:25 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:15:22.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:15:22.000Z", "id": "observed-data--2c1922ff-96b9-4175-8ea7-6a73f2e2e1ab", "last_observed": "2019-08-23T14:15:22.000Z", "modified": "2019-08-23T14:15:22.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTU6MjIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNToyMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:15:22 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:15:22 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:15:19.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:15:19.000Z", "id": "observed-data--912a40e5-9045-4d91-b006-a2ec5dd4b1c7", "last_observed": "2019-08-23T14:15:19.000Z", "modified": "2019-08-23T14:15:19.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTU6MTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNToxOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:15:19 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:15:19 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:15:16.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:15:16.000Z", "id": "observed-data--41f2a997-7b02-44ae-a3d5-6ac4d48b60c9", "last_observed": "2019-08-23T14:15:16.000Z", "modified": "2019-08-23T14:15:16.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTU6MTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNToxNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:15:16 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:15:16 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:15:13.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:15:13.000Z", "id": "observed-data--e287e317-71d9-43f7-9f4d-621ffb177dc6", "last_observed": "2019-08-23T14:15:13.000Z", "modified": "2019-08-23T14:15:13.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTU6MTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNToxMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:15:13 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:15:13 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:15:10.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:15:10.000Z", "id": "observed-data--32914c56-ac4d-4bb8-9a98-97648d2ed33c", "last_observed": "2019-08-23T14:15:10.000Z", "modified": "2019-08-23T14:15:10.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTU6MTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNToxMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:15:10 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:15:10 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:15:07.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:15:07.000Z", "id": "observed-data--c5835e8d-a4ce-47dc-9a1d-103c844a1c7c", "last_observed": "2019-08-23T14:15:07.000Z", "modified": "2019-08-23T14:15:07.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTU6MDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNTowNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:15:07 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:15:07 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:15:03.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:15:03.000Z", "id": "observed-data--2d326f35-135e-4631-b995-0ea487987853", "last_observed": "2019-08-23T14:15:03.000Z", "modified": "2019-08-23T14:15:03.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTU6MDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNTowMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:15:03 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:15:03 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:15:00.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:15:00.000Z", "id": "observed-data--40467a9b-743b-4a46-ba65-35c01281b926", "last_observed": "2019-08-23T14:15:00.000Z", "modified": "2019-08-23T14:15:00.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTU6MDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNTowMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:15:00 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:15:00 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:14:57.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:14:57.000Z", "id": "observed-data--7fee93fc-91e5-4352-bbad-b1e13e2427fc", "last_observed": "2019-08-23T14:14:57.000Z", "modified": "2019-08-23T14:14:57.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTQ6NTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNDo1NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:14:57 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:14:57 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:14:54.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:14:54.000Z", "id": "observed-data--40657ec7-a932-4af1-9919-cc0811ccf948", "last_observed": "2019-08-23T14:14:54.000Z", "modified": "2019-08-23T14:14:54.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTQ6NTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNDo1NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:14:54 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:14:54 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:14:51.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:14:51.000Z", "id": "observed-data--351c1215-49be-4b7f-82b3-4f870a15651e", "last_observed": "2019-08-23T14:14:51.000Z", "modified": "2019-08-23T14:14:51.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTQ6NTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNDo1MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:14:51 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:14:51 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:14:48.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:14:48.000Z", "id": "observed-data--4970373c-86ab-4106-a7b6-6028d928740e", "last_observed": "2019-08-23T14:14:48.000Z", "modified": "2019-08-23T14:14:48.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTQ6NDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNDo0OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:14:48 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:14:48 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:14:45.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:14:45.000Z", "id": "observed-data--5b61eb45-c916-4b94-b32c-e791e0b7dcfa", "last_observed": "2019-08-23T14:14:45.000Z", "modified": "2019-08-23T14:14:45.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTQ6NDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNDo0NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:14:45 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:14:45 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:14:41.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:14:41.000Z", "id": "observed-data--f229b7c6-e8e4-4923-bf85-0695289969b7", "last_observed": "2019-08-23T14:14:41.000Z", "modified": "2019-08-23T14:14:41.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTQ6NDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNDo0MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:14:41 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:14:41 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:14:38.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:14:38.000Z", "id": "observed-data--0fcd606d-15a3-4451-af37-3e073561feb9", "last_observed": "2019-08-23T14:14:38.000Z", "modified": "2019-08-23T14:14:38.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTQ6MzggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNDozOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:14:38 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:14:38 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:14:35.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:14:35.000Z", "id": "observed-data--b46b7fd7-0ac7-4fc6-af75-2821fd6b327a", "last_observed": "2019-08-23T14:14:35.000Z", "modified": "2019-08-23T14:14:35.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTQ6MzUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNDozNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:14:35 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:14:35 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:14:32.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:14:32.000Z", "id": "observed-data--6f5baa13-9ab7-4af2-922d-1dc4c7ca3f9a", "last_observed": "2019-08-23T14:14:32.000Z", "modified": "2019-08-23T14:14:32.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTQ6MzIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNDozMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:14:32 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:14:32 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:14:29.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:14:29.000Z", "id": "observed-data--a8d4ac97-f7e3-4f13-ba5b-2005e323c536", "last_observed": "2019-08-23T14:14:29.000Z", "modified": "2019-08-23T14:14:29.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTQ6MjkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNDoyOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:14:29 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:14:29 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:14:26.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:14:26.000Z", "id": "observed-data--421b8dbd-b5ea-4e55-84d2-387989142ffa", "last_observed": "2019-08-23T14:14:26.000Z", "modified": "2019-08-23T14:14:26.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTQ6MjYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNDoyNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:14:26 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:14:26 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:14:22.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:14:22.000Z", "id": "observed-data--58106173-9b69-4752-9193-a6a405c3b7df", "last_observed": "2019-08-23T14:14:22.000Z", "modified": "2019-08-23T14:14:22.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTQ6MjIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNDoyMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:14:22 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:14:22 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:14:19.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:14:19.000Z", "id": "observed-data--f59ca953-3f62-4160-8781-b6c1014c4b90", "last_observed": "2019-08-23T14:14:19.000Z", "modified": "2019-08-23T14:14:19.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTQ6MTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNDoxOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:14:19 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:14:19 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:14:16.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:14:16.000Z", "id": "observed-data--0d2d2a14-915b-4413-9bf0-def34204ebc6", "last_observed": "2019-08-23T14:14:16.000Z", "modified": "2019-08-23T14:14:16.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTQ6MTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNDoxNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:14:16 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:14:16 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:14:13.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:14:13.000Z", "id": "observed-data--014bce6c-b003-4310-bf4e-591742982afc", "last_observed": "2019-08-23T14:14:13.000Z", "modified": "2019-08-23T14:14:13.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTQ6MTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNDoxMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:14:13 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:14:13 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:14:10.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:14:10.000Z", "id": "observed-data--36cea8e8-b76f-48cd-a48b-05d4f47eb9b2", "last_observed": "2019-08-23T14:14:10.000Z", "modified": "2019-08-23T14:14:10.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTQ6MTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNDoxMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:14:10 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:14:10 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:14:07.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:14:07.000Z", "id": "observed-data--014378f2-7aeb-4f93-926c-df8851c8ca41", "last_observed": "2019-08-23T14:14:07.000Z", "modified": "2019-08-23T14:14:07.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTQ6MDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNDowNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:14:07 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:14:07 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:14:04.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:14:04.000Z", "id": "observed-data--28667510-af9e-4fe9-bc2d-dbae4b75bbe1", "last_observed": "2019-08-23T14:14:04.000Z", "modified": "2019-08-23T14:14:04.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTQ6MDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNDowNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:14:04 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:14:04 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:14:00.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:14:00.000Z", "id": "observed-data--855f4ee8-e843-4aa6-9595-e2b2a2e6dd98", "last_observed": "2019-08-23T14:14:00.000Z", "modified": "2019-08-23T14:14:00.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTQ6MDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxNDowMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:14:00 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:14:00 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:13:57.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:13:57.000Z", "id": "observed-data--f51e1d85-6bab-4fe0-b365-e0ffe7d2fdfc", "last_observed": "2019-08-23T14:13:57.000Z", "modified": "2019-08-23T14:13:57.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTM6NTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMzo1NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:13:57 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:13:57 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:13:54.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:13:54.000Z", "id": "observed-data--22b9db9b-fb56-4cd5-9605-4c3311ad6191", "last_observed": "2019-08-23T14:13:54.000Z", "modified": "2019-08-23T14:13:54.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTM6NTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMzo1NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:13:54 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:13:54 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:13:51.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:13:51.000Z", "id": "observed-data--981a6158-fe21-4cbd-aca6-bbf2d835b490", "last_observed": "2019-08-23T14:13:51.000Z", "modified": "2019-08-23T14:13:51.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTM6NTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMzo1MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:13:51 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:13:51 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:13:48.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:13:48.000Z", "id": "observed-data--a56152fd-8565-43a2-bccb-4269ec2c6f87", "last_observed": "2019-08-23T14:13:48.000Z", "modified": "2019-08-23T14:13:48.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTM6NDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMzo0OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:13:48 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:13:48 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:13:45.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:13:45.000Z", "id": "observed-data--4625638d-60d5-49a4-afb7-149f277dfaf0", "last_observed": "2019-08-23T14:13:45.000Z", "modified": "2019-08-23T14:13:45.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTM6NDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMzo0NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:13:45 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:13:45 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:13:42.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:13:42.000Z", "id": "observed-data--5edeb67f-c7bc-48a0-95a1-e79456872e60", "last_observed": "2019-08-23T14:13:42.000Z", "modified": "2019-08-23T14:13:42.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTM6NDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMzo0MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:13:42 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:13:42 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:13:38.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:13:38.000Z", "id": "observed-data--a8f790af-d4cb-4ceb-b5eb-871f690bd267", "last_observed": "2019-08-23T14:13:38.000Z", "modified": "2019-08-23T14:13:38.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTM6MzggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMzozOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:13:38 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:13:38 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:13:35.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:13:35.000Z", "id": "observed-data--0f9f72b7-255b-4d0b-94d2-5dbae8d542c9", "last_observed": "2019-08-23T14:13:35.000Z", "modified": "2019-08-23T14:13:35.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTM6MzUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMzozNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:13:35 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:13:35 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:13:32.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:13:32.000Z", "id": "observed-data--11e6b1d8-a1a7-45e7-bad1-84949e1bb4cb", "last_observed": "2019-08-23T14:13:32.000Z", "modified": "2019-08-23T14:13:32.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTM6MzIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMzozMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:13:32 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:13:32 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:13:29.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:13:29.000Z", "id": "observed-data--c7cd5c64-5267-4ed3-b543-d99aee8fec9f", "last_observed": "2019-08-23T14:13:29.000Z", "modified": "2019-08-23T14:13:29.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTM6MjkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMzoyOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:13:29 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:13:29 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:13:26.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:13:26.000Z", "id": "observed-data--4e81694e-e3ec-4b7f-9c68-2ab3ddb8a9d6", "last_observed": "2019-08-23T14:13:26.000Z", "modified": "2019-08-23T14:13:26.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTM6MjYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMzoyNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:13:26 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:13:26 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:13:23.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:13:23.000Z", "id": "observed-data--891f4990-2e28-43b2-8d29-d9e5614eb2b2", "last_observed": "2019-08-23T14:13:23.000Z", "modified": "2019-08-23T14:13:23.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTM6MjMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMzoyMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:13:23 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:13:23 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:13:20.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:13:20.000Z", "id": "observed-data--8db26923-9832-4bf9-b955-21ca480260f5", "last_observed": "2019-08-23T14:13:20.000Z", "modified": "2019-08-23T14:13:20.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTM6MjAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMzoyMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:13:20 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:13:20 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:13:16.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:13:16.000Z", "id": "observed-data--e08b0724-b8d5-4061-b30a-aa68c911f4fe", "last_observed": "2019-08-23T14:13:16.000Z", "modified": "2019-08-23T14:13:16.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTM6MTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMzoxNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:13:16 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:13:16 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:13:13.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:13:13.000Z", "id": "observed-data--aa86a170-267b-4aca-89b4-6fb33980b10d", "last_observed": "2019-08-23T14:13:13.000Z", "modified": "2019-08-23T14:13:13.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTM6MTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMzoxMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:13:13 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:13:13 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:13:10.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:13:10.000Z", "id": "observed-data--e67be1f4-647b-466c-b890-b93ecdc74304", "last_observed": "2019-08-23T14:13:10.000Z", "modified": "2019-08-23T14:13:10.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTM6MTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMzoxMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:13:10 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:13:10 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:13:07.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:13:07.000Z", "id": "observed-data--a47c9a8d-30ed-4a0c-a2d8-b60d7c0c1185", "last_observed": "2019-08-23T14:13:07.000Z", "modified": "2019-08-23T14:13:07.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTM6MDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMzowNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:13:07 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:13:07 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:13:04.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:13:04.000Z", "id": "observed-data--5dd3a527-d1c6-46ae-a202-63af7ed9c4ca", "last_observed": "2019-08-23T14:13:04.000Z", "modified": "2019-08-23T14:13:04.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTM6MDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMzowNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:13:04 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:13:04 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:13:01.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:13:01.000Z", "id": "observed-data--9352dd6f-0197-491a-ae0b-0d27c926437a", "last_observed": "2019-08-23T14:13:01.000Z", "modified": "2019-08-23T14:13:01.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTM6MDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMzowMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:13:01 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:13:01 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:12:57.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:12:57.000Z", "id": "observed-data--5189cebc-9cf3-40c8-9fc7-8a5b11bf5539", "last_observed": "2019-08-23T14:12:57.000Z", "modified": "2019-08-23T14:12:57.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTI6NTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMjo1NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:12:57 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:12:57 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:12:54.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:12:54.000Z", "id": "observed-data--ca60d805-84e8-4919-b243-ec5acb94df11", "last_observed": "2019-08-23T14:12:54.000Z", "modified": "2019-08-23T14:12:54.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTI6NTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMjo1NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:12:54 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:12:54 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:12:51.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:12:51.000Z", "id": "observed-data--e0341e80-f805-4b55-8d2d-cd41d43beb83", "last_observed": "2019-08-23T14:12:51.000Z", "modified": "2019-08-23T14:12:51.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTI6NTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMjo1MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:12:51 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:12:51 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:12:48.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:12:48.000Z", "id": "observed-data--a35a9df8-49cb-439d-ba13-0f78833abc65", "last_observed": "2019-08-23T14:12:48.000Z", "modified": "2019-08-23T14:12:48.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTI6NDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMjo0OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:12:48 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:12:48 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:12:45.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:12:45.000Z", "id": "observed-data--c537238d-e20e-46d4-ab50-e58e3d76894f", "last_observed": "2019-08-23T14:12:45.000Z", "modified": "2019-08-23T14:12:45.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTI6NDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMjo0NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:12:45 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:12:45 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:12:42.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:12:42.000Z", "id": "observed-data--cdc1f976-e2cc-424d-b9bb-2f7193e6f1f1", "last_observed": "2019-08-23T14:12:42.000Z", "modified": "2019-08-23T14:12:42.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTI6NDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMjo0MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:12:42 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:12:42 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:12:39.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:12:39.000Z", "id": "observed-data--896e1313-0a14-4c04-a72e-92eb1347f79f", "last_observed": "2019-08-23T14:12:39.000Z", "modified": "2019-08-23T14:12:39.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTI6MzkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMjozOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:12:39 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:12:39 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:12:35.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:12:35.000Z", "id": "observed-data--4bf85c10-a6a0-4c92-8e30-2f5713f7fe65", "last_observed": "2019-08-23T14:12:35.000Z", "modified": "2019-08-23T14:12:35.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTI6MzUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMjozNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:12:35 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:12:35 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:12:32.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:12:32.000Z", "id": "observed-data--5b49555d-48d5-4cb8-bf41-9b4216137f5f", "last_observed": "2019-08-23T14:12:32.000Z", "modified": "2019-08-23T14:12:32.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTI6MzIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMjozMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:12:32 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:12:32 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:12:29.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:12:29.000Z", "id": "observed-data--4c868536-e14d-402a-9f53-438649ebc0ce", "last_observed": "2019-08-23T14:12:29.000Z", "modified": "2019-08-23T14:12:29.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTI6MjkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMjoyOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:12:29 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:12:29 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:12:26.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:12:26.000Z", "id": "observed-data--4cf39a57-3bb8-4ce6-9a47-a230b6135dcc", "last_observed": "2019-08-23T14:12:26.000Z", "modified": "2019-08-23T14:12:26.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTI6MjYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMjoyNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:12:26 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:12:26 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:12:23.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:12:23.000Z", "id": "observed-data--63942ebc-7bb6-48ba-8431-d135b45e874a", "last_observed": "2019-08-23T14:12:23.000Z", "modified": "2019-08-23T14:12:23.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTI6MjMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMjoyMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:12:23 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:12:23 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:12:20.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:12:20.000Z", "id": "observed-data--89260288-7d09-4ab6-9349-e0849ff01fd2", "last_observed": "2019-08-23T14:12:20.000Z", "modified": "2019-08-23T14:12:20.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTI6MjAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMjoyMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:12:20 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:12:20 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:12:17.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:12:17.000Z", "id": "observed-data--6aef531f-a3f0-450b-9853-fcb614b6ab8a", "last_observed": "2019-08-23T14:12:17.000Z", "modified": "2019-08-23T14:12:17.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTI6MTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMjoxNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:12:17 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:12:17 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:12:13.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:12:13.000Z", "id": "observed-data--82952dd0-ffd0-4600-bd42-dc7a5a1de043", "last_observed": "2019-08-23T14:12:13.000Z", "modified": "2019-08-23T14:12:13.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTI6MTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMjoxMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:12:13 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:12:13 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:12:10.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:12:10.000Z", "id": "observed-data--f02117ed-ff45-4e1c-a97d-c4c7efda4d96", "last_observed": "2019-08-23T14:12:10.000Z", "modified": "2019-08-23T14:12:10.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTI6MTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMjoxMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:12:10 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:12:10 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:12:07.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:12:07.000Z", "id": "observed-data--5f75de29-b0c1-44e4-b4bf-663708fda36c", "last_observed": "2019-08-23T14:12:07.000Z", "modified": "2019-08-23T14:12:07.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTI6MDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMjowNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:12:07 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:12:07 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:12:04.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:12:04.000Z", "id": "observed-data--d2b8f0c1-1d65-46be-9c9a-5e9d32c1a056", "last_observed": "2019-08-23T14:12:04.000Z", "modified": "2019-08-23T14:12:04.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTI6MDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMjowNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:12:04 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:12:04 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:12:01.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:12:01.000Z", "id": "observed-data--ab4a526b-0cbd-49a1-a9a7-dcb3aaedf22b", "last_observed": "2019-08-23T14:12:01.000Z", "modified": "2019-08-23T14:12:01.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTI6MDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMjowMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:12:01 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:12:01 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:11:58.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:11:58.000Z", "id": "observed-data--825605ba-3a43-4a98-90cc-29917a6c7d5b", "last_observed": "2019-08-23T14:11:58.000Z", "modified": "2019-08-23T14:11:58.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTE6NTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMTo1OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:11:58 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:11:58 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:11:54.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:11:54.000Z", "id": "observed-data--09ee5811-f621-4cbd-a3a0-a66aa6d8dbaa", "last_observed": "2019-08-23T14:11:54.000Z", "modified": "2019-08-23T14:11:54.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTE6NTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMTo1NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:11:54 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:11:54 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:11:51.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:11:51.000Z", "id": "observed-data--ccb0afd8-2275-4be8-81e2-1d0c88afdb97", "last_observed": "2019-08-23T14:11:51.000Z", "modified": "2019-08-23T14:11:51.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTE6NTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMTo1MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:11:51 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:11:51 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:11:48.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:11:48.000Z", "id": "observed-data--0fe36301-4ed9-4310-a0dd-364c3672777c", "last_observed": "2019-08-23T14:11:48.000Z", "modified": "2019-08-23T14:11:48.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTE6NDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMTo0OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:11:48 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:11:48 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:11:45.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:11:45.000Z", "id": "observed-data--92917dd7-99c4-4f6d-8fb8-52b0ced1f3f5", "last_observed": "2019-08-23T14:11:45.000Z", "modified": "2019-08-23T14:11:45.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTE6NDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMTo0NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:11:45 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:11:45 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:11:42.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:11:42.000Z", "id": "observed-data--ff435979-d2dc-4a11-a94c-9eb148c045a5", "last_observed": "2019-08-23T14:11:42.000Z", "modified": "2019-08-23T14:11:42.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTE6NDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMTo0MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:11:42 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:11:42 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:11:39.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:11:39.000Z", "id": "observed-data--f5186a81-f33f-4047-81ba-7457118374fb", "last_observed": "2019-08-23T14:11:39.000Z", "modified": "2019-08-23T14:11:39.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTE6MzkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMTozOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:11:39 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:11:39 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:11:36.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:11:36.000Z", "id": "observed-data--c53d3f6a-c798-4a42-bcc5-8749bcfc20d8", "last_observed": "2019-08-23T14:11:36.000Z", "modified": "2019-08-23T14:11:36.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTE6MzYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMTozNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:11:36 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:11:36 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:11:32.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:11:32.000Z", "id": "observed-data--b78557fc-ea4b-4a21-8c43-ae57a54fb31c", "last_observed": "2019-08-23T14:11:32.000Z", "modified": "2019-08-23T14:11:32.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTE6MzIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMTozMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:11:32 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:11:32 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:11:29.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:11:29.000Z", "id": "observed-data--48bc460f-c6f6-4259-a4fd-396b4952fa75", "last_observed": "2019-08-23T14:11:29.000Z", "modified": "2019-08-23T14:11:29.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTE6MjkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMToyOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:11:29 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:11:29 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:11:26.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:11:26.000Z", "id": "observed-data--210168a4-15fb-4dbd-89b3-cd09f2bb5cfd", "last_observed": "2019-08-23T14:11:26.000Z", "modified": "2019-08-23T14:11:26.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTE6MjYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMToyNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:11:26 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:11:26 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:11:23.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:11:23.000Z", "id": "observed-data--4ec60d64-9a1e-4357-976a-f3eee01cd249", "last_observed": "2019-08-23T14:11:23.000Z", "modified": "2019-08-23T14:11:23.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTE6MjMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMToyMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:11:23 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:11:23 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:11:20.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:11:20.000Z", "id": "observed-data--935b899d-0af7-4e74-bbe9-2de02bfd7a62", "last_observed": "2019-08-23T14:11:20.000Z", "modified": "2019-08-23T14:11:20.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTE6MjAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMToyMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:11:20 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:11:20 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:11:17.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:11:17.000Z", "id": "observed-data--2c7f8391-ce66-4c26-9d78-bcfd16de24d5", "last_observed": "2019-08-23T14:11:17.000Z", "modified": "2019-08-23T14:11:17.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTE6MTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMToxNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:11:17 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:11:17 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:11:13.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:11:13.000Z", "id": "observed-data--08f8257d-ab1e-45a8-90db-27e66965bb3a", "last_observed": "2019-08-23T14:11:13.000Z", "modified": "2019-08-23T14:11:13.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTE6MTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMToxMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:11:13 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:11:13 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:11:10.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:11:10.000Z", "id": "observed-data--1b178470-0e66-4eae-9f8f-43023790439c", "last_observed": "2019-08-23T14:11:10.000Z", "modified": "2019-08-23T14:11:10.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTE6MTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMToxMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:11:10 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:11:10 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:11:07.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:11:07.000Z", "id": "observed-data--3a94fbc6-528f-4e97-b535-1b792ab989e5", "last_observed": "2019-08-23T14:11:07.000Z", "modified": "2019-08-23T14:11:07.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTE6MDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMTowNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:11:07 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:11:07 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:11:04.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:11:04.000Z", "id": "observed-data--7dbb5882-3ff2-4f25-b03b-1dc193a02f88", "last_observed": "2019-08-23T14:11:04.000Z", "modified": "2019-08-23T14:11:04.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTE6MDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMTowNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:11:04 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:11:04 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:11:01.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:11:01.000Z", "id": "observed-data--cb35179d-56a7-4cae-b5ef-e2bce00de98b", "last_observed": "2019-08-23T14:11:01.000Z", "modified": "2019-08-23T14:11:01.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTE6MDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMTowMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:11:01 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:11:01 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:10:58.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:10:58.000Z", "id": "observed-data--1e1db4f2-3cff-4e0a-b598-554cd713007d", "last_observed": "2019-08-23T14:10:58.000Z", "modified": "2019-08-23T14:10:58.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTA6NTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMDo1OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:10:58 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:10:58 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:10:55.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:10:55.000Z", "id": "observed-data--77c65c3d-27fd-4dc1-83ca-ff403e5f2e47", "last_observed": "2019-08-23T14:10:55.000Z", "modified": "2019-08-23T14:10:55.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTA6NTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMDo1NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:10:55 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:10:55 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:10:51.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:10:51.000Z", "id": "observed-data--7eaee13e-3d91-4452-84b0-72773b157762", "last_observed": "2019-08-23T14:10:51.000Z", "modified": "2019-08-23T14:10:51.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTA6NTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMDo1MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:10:51 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:10:51 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:10:48.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:10:48.000Z", "id": "observed-data--9abeaf69-f714-411a-a797-f9ad98b65f64", "last_observed": "2019-08-23T14:10:48.000Z", "modified": "2019-08-23T14:10:48.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTA6NDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMDo0OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:10:48 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:10:48 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:10:45.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:10:45.000Z", "id": "observed-data--e7b0068f-801f-4901-8ade-7cf6b5f39d3a", "last_observed": "2019-08-23T14:10:45.000Z", "modified": "2019-08-23T14:10:45.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTA6NDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMDo0NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:10:45 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:10:45 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:10:42.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:10:42.000Z", "id": "observed-data--a32f3207-13b6-4b69-97c3-9b4b5975582a", "last_observed": "2019-08-23T14:10:42.000Z", "modified": "2019-08-23T14:10:42.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTA6NDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMDo0MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:10:42 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:10:42 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:10:39.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:10:39.000Z", "id": "observed-data--d0ad0693-966e-4ad1-8e38-e82b6a8b7bf7", "last_observed": "2019-08-23T14:10:39.000Z", "modified": "2019-08-23T14:10:39.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTA6MzkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMDozOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:10:39 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:10:39 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:10:36.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:10:36.000Z", "id": "observed-data--e3d61017-a6cd-4e5b-b41d-9a3fd6281f73", "last_observed": "2019-08-23T14:10:36.000Z", "modified": "2019-08-23T14:10:36.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTA6MzYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMDozNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:10:36 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:10:36 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:10:33.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:10:33.000Z", "id": "observed-data--a0e1c9f7-a20e-4007-9b7d-3cb1d4ef2095", "last_observed": "2019-08-23T14:10:33.000Z", "modified": "2019-08-23T14:10:33.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTA6MzMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMDozMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:10:33 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:10:33 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:10:29.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:10:29.000Z", "id": "observed-data--c327f78a-862f-4372-8340-df248c55e0a9", "last_observed": "2019-08-23T14:10:29.000Z", "modified": "2019-08-23T14:10:29.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTA6MjkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMDoyOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:10:29 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:10:29 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:10:26.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:10:26.000Z", "id": "observed-data--49227e80-8cce-4ce5-beb2-35cc9afe5409", "last_observed": "2019-08-23T14:10:26.000Z", "modified": "2019-08-23T14:10:26.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTA6MjYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMDoyNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:10:26 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:10:26 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:10:23.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:10:23.000Z", "id": "observed-data--56444d50-4965-45b4-b784-50f206df6c80", "last_observed": "2019-08-23T14:10:23.000Z", "modified": "2019-08-23T14:10:23.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTA6MjMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMDoyMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:10:23 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:10:23 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:10:20.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:10:20.000Z", "id": "observed-data--b2bf5875-ff61-4b79-9333-d11e1afed43f", "last_observed": "2019-08-23T14:10:20.000Z", "modified": "2019-08-23T14:10:20.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTA6MjAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMDoyMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:10:20 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:10:20 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:10:17.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:10:17.000Z", "id": "observed-data--5c7f3379-2b01-4a4e-9b96-9fb31b0cb44e", "last_observed": "2019-08-23T14:10:17.000Z", "modified": "2019-08-23T14:10:17.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTA6MTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMDoxNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:10:17 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:10:17 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:10:14.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:10:14.000Z", "id": "observed-data--e6118b53-3215-4253-bdfd-fe06b8c3414c", "last_observed": "2019-08-23T14:10:14.000Z", "modified": "2019-08-23T14:10:14.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTA6MTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMDoxNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:10:14 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:10:14 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:10:10.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:10:10.000Z", "id": "observed-data--4098c6ac-d561-4374-a16b-2387ff5af086", "last_observed": "2019-08-23T14:10:10.000Z", "modified": "2019-08-23T14:10:10.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTA6MTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMDoxMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:10:10 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:10:10 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:10:07.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:10:07.000Z", "id": "observed-data--2609ddd9-dbc2-45fa-8b71-460277d2c456", "last_observed": "2019-08-23T14:10:07.000Z", "modified": "2019-08-23T14:10:07.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTA6MDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMDowNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:10:07 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:10:07 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:10:04.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:10:04.000Z", "id": "observed-data--7d14a983-b21e-4af4-a322-33d79a3af776", "last_observed": "2019-08-23T14:10:04.000Z", "modified": "2019-08-23T14:10:04.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTA6MDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMDowNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:10:04 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:10:04 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:10:01.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:10:01.000Z", "id": "observed-data--cf54b5c8-45c6-4f40-af4a-b6e84a2a4820", "last_observed": "2019-08-23T14:10:01.000Z", "modified": "2019-08-23T14:10:01.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MTA6MDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDoxMDowMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:10:01 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:10:01 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:09:58.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:09:58.000Z", "id": "observed-data--a58dfbc8-8fa0-4271-8172-b6e360318ca5", "last_observed": "2019-08-23T14:09:58.000Z", "modified": "2019-08-23T14:09:58.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDk6NTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowOTo1OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:09:58 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:09:58 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:09:55.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:09:55.000Z", "id": "observed-data--489aebc5-0f7f-4762-83a1-bc060628af22", "last_observed": "2019-08-23T14:09:55.000Z", "modified": "2019-08-23T14:09:55.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDk6NTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowOTo1NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:09:55 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:09:55 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:09:52.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:09:52.000Z", "id": "observed-data--d17e0bd3-a5d3-448e-845a-5093a8d949e7", "last_observed": "2019-08-23T14:09:52.000Z", "modified": "2019-08-23T14:09:52.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDk6NTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowOTo1MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:09:52 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:09:52 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:09:48.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:09:48.000Z", "id": "observed-data--80526c56-7a40-418b-a227-37700d1fd003", "last_observed": "2019-08-23T14:09:48.000Z", "modified": "2019-08-23T14:09:48.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDk6NDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowOTo0OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:09:48 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:09:48 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:09:45.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:09:45.000Z", "id": "observed-data--f2eb88ac-f50e-42e1-93f9-69a25664aa28", "last_observed": "2019-08-23T14:09:45.000Z", "modified": "2019-08-23T14:09:45.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDk6NDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowOTo0NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:09:45 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:09:45 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:09:42.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:09:42.000Z", "id": "observed-data--343806ff-e4fb-42b7-a3c8-c013509fa4d2", "last_observed": "2019-08-23T14:09:42.000Z", "modified": "2019-08-23T14:09:42.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDk6NDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowOTo0MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:09:42 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:09:42 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:09:39.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:09:39.000Z", "id": "observed-data--20c91fab-48bb-4012-9fd4-eb6f6562c69e", "last_observed": "2019-08-23T14:09:39.000Z", "modified": "2019-08-23T14:09:39.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDk6MzkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowOTozOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:09:39 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:09:39 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:09:36.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:09:36.000Z", "id": "observed-data--294ee142-8b48-47b5-a219-146c2dcc14a4", "last_observed": "2019-08-23T14:09:36.000Z", "modified": "2019-08-23T14:09:36.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDk6MzYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowOTozNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:09:36 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:09:36 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:09:33.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:09:33.000Z", "id": "observed-data--0e1ba7e7-bd34-46c1-81a2-c6c1df362f97", "last_observed": "2019-08-23T14:09:33.000Z", "modified": "2019-08-23T14:09:33.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDk6MzMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowOTozMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:09:33 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:09:33 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:09:30.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:09:30.000Z", "id": "observed-data--e5cb1e57-46c6-4839-9aea-b2e353e5a4b4", "last_observed": "2019-08-23T14:09:30.000Z", "modified": "2019-08-23T14:09:30.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDk6MzAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowOTozMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:09:30 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:09:30 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:09:26.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:09:26.000Z", "id": "observed-data--0f99d204-b712-4683-9420-16ed49d4a036", "last_observed": "2019-08-23T14:09:26.000Z", "modified": "2019-08-23T14:09:26.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDk6MjYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowOToyNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:09:26 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:09:26 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:09:23.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:09:23.000Z", "id": "observed-data--573b2894-929a-4f95-882e-782fbd0e6033", "last_observed": "2019-08-23T14:09:23.000Z", "modified": "2019-08-23T14:09:23.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDk6MjMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowOToyMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:09:23 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:09:23 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:09:20.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:09:20.000Z", "id": "observed-data--73cac131-3414-4793-b832-3fafb419f665", "last_observed": "2019-08-23T14:09:20.000Z", "modified": "2019-08-23T14:09:20.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDk6MjAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowOToyMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:09:20 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:09:20 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:09:17.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:09:17.000Z", "id": "observed-data--19af595b-e3d1-43a0-beb0-8ec98628d1c6", "last_observed": "2019-08-23T14:09:17.000Z", "modified": "2019-08-23T14:09:17.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDk6MTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowOToxNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:09:17 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:09:17 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:09:14.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:09:14.000Z", "id": "observed-data--77167dc5-0a96-4566-89de-0d44845abdd6", "last_observed": "2019-08-23T14:09:14.000Z", "modified": "2019-08-23T14:09:14.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDk6MTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowOToxNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:09:14 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:09:14 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:09:11.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:09:11.000Z", "id": "observed-data--0e3f5974-a2ab-4a99-8777-a4d3d2928db0", "last_observed": "2019-08-23T14:09:11.000Z", "modified": "2019-08-23T14:09:11.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDk6MTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowOToxMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:09:11 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:09:11 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:09:07.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:09:07.000Z", "id": "observed-data--70319518-cc3e-48f8-ba18-d38ffff0ca22", "last_observed": "2019-08-23T14:09:07.000Z", "modified": "2019-08-23T14:09:07.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDk6MDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowOTowNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:09:07 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:09:07 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:09:04.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:09:04.000Z", "id": "observed-data--7bfa9918-b73f-463d-b146-60e2f957c253", "last_observed": "2019-08-23T14:09:04.000Z", "modified": "2019-08-23T14:09:04.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDk6MDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowOTowNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:09:04 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:09:04 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:09:01.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:09:01.000Z", "id": "observed-data--3ddb57ea-302c-4874-8bf7-a8f0a8fd1ab9", "last_observed": "2019-08-23T14:09:01.000Z", "modified": "2019-08-23T14:09:01.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDk6MDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowOTowMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:09:01 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:09:01 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:08:58.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:08:58.000Z", "id": "observed-data--35b80a4d-9a41-4e1a-b5d9-7e81b88e095d", "last_observed": "2019-08-23T14:08:58.000Z", "modified": "2019-08-23T14:08:58.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDg6NTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowODo1OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:08:58 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:08:58 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:08:55.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:08:55.000Z", "id": "observed-data--e93906c9-67c0-4e78-acc9-5fef47faa833", "last_observed": "2019-08-23T14:08:55.000Z", "modified": "2019-08-23T14:08:55.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDg6NTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowODo1NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:08:55 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:08:55 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:08:52.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:08:52.000Z", "id": "observed-data--0778edff-c4fc-4fa7-b062-9efcfd772ba5", "last_observed": "2019-08-23T14:08:52.000Z", "modified": "2019-08-23T14:08:52.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDg6NTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowODo1MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:08:52 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:08:52 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:08:49.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:08:49.000Z", "id": "observed-data--d47d330f-ea3c-44c3-87b6-43ffb760eee0", "last_observed": "2019-08-23T14:08:49.000Z", "modified": "2019-08-23T14:08:49.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDg6NDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowODo0OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:08:49 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:08:49 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:08:45.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:08:45.000Z", "id": "observed-data--0e38a5c7-b26f-475b-b0ea-e488333822a2", "last_observed": "2019-08-23T14:08:45.000Z", "modified": "2019-08-23T14:08:45.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDg6NDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowODo0NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:08:45 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:08:45 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:08:42.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:08:42.000Z", "id": "observed-data--542d4dc6-4ee4-4a4f-bcff-11dc19e13168", "last_observed": "2019-08-23T14:08:42.000Z", "modified": "2019-08-23T14:08:42.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDg6NDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowODo0MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:08:42 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:08:42 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:08:39.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:08:39.000Z", "id": "observed-data--bbe43548-01c8-4af2-b1e8-d315dc52b39a", "last_observed": "2019-08-23T14:08:39.000Z", "modified": "2019-08-23T14:08:39.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDg6MzkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowODozOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:08:39 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:08:39 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:08:36.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:08:36.000Z", "id": "observed-data--350890f1-a73d-4065-b102-86df00aed803", "last_observed": "2019-08-23T14:08:36.000Z", "modified": "2019-08-23T14:08:36.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDg6MzYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowODozNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:08:36 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:08:36 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:08:33.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:08:33.000Z", "id": "observed-data--f8ade468-e47e-4366-a40d-78b34fed5a63", "last_observed": "2019-08-23T14:08:33.000Z", "modified": "2019-08-23T14:08:33.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDg6MzMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowODozMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:08:33 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:08:33 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:08:30.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:08:30.000Z", "id": "observed-data--f9ab0aa9-49c6-474e-a5ec-bb9a71ad6eb2", "last_observed": "2019-08-23T14:08:30.000Z", "modified": "2019-08-23T14:08:30.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDg6MzAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowODozMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:08:30 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:08:30 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:08:27.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:08:27.000Z", "id": "observed-data--b0d2038d-0577-4a15-bc17-e5c868f4c1aa", "last_observed": "2019-08-23T14:08:27.000Z", "modified": "2019-08-23T14:08:27.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDg6MjcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowODoyNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:08:27 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:08:27 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:08:23.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:08:23.000Z", "id": "observed-data--ac2dd994-bc1b-4a6f-9614-715a72e4d388", "last_observed": "2019-08-23T14:08:23.000Z", "modified": "2019-08-23T14:08:23.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDg6MjMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowODoyMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:08:23 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:08:23 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:08:20.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:08:20.000Z", "id": "observed-data--04d28bdc-afc2-4d9f-8196-dec3c3597b8a", "last_observed": "2019-08-23T14:08:20.000Z", "modified": "2019-08-23T14:08:20.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDg6MjAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowODoyMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:08:20 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:08:20 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:08:17.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:08:17.000Z", "id": "observed-data--cdaac7a7-b751-402e-b5e7-948c3c3566b2", "last_observed": "2019-08-23T14:08:17.000Z", "modified": "2019-08-23T14:08:17.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDg6MTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowODoxNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:08:17 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:08:17 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:08:14.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:08:14.000Z", "id": "observed-data--5207d716-5b4a-49c4-bedb-6eaf0d9e948d", "last_observed": "2019-08-23T14:08:14.000Z", "modified": "2019-08-23T14:08:14.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDg6MTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowODoxNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:08:14 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:08:14 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:08:11.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:08:11.000Z", "id": "observed-data--09158882-02bc-49a2-b191-c9ce54ac74d8", "last_observed": "2019-08-23T14:08:11.000Z", "modified": "2019-08-23T14:08:11.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDg6MTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowODoxMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:08:11 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:08:11 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:08:08.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:08:08.000Z", "id": "observed-data--4a501bc5-464e-4a18-9277-0dd79c42bd94", "last_observed": "2019-08-23T14:08:08.000Z", "modified": "2019-08-23T14:08:08.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDg6MDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowODowOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:08:08 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:08:08 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:08:04.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:08:04.000Z", "id": "observed-data--5a60ef6f-1be2-46ae-b726-976ea7b3556a", "last_observed": "2019-08-23T14:08:04.000Z", "modified": "2019-08-23T14:08:04.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDg6MDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowODowNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:08:04 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:08:04 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:08:01.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:08:01.000Z", "id": "observed-data--cc5d189d-1b38-4169-8c69-d57a9ce183f4", "last_observed": "2019-08-23T14:08:01.000Z", "modified": "2019-08-23T14:08:01.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDg6MDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowODowMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:08:01 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:08:01 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:07:58.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:07:58.000Z", "id": "observed-data--a53ee34f-6022-40b0-8ef6-9eef70809011", "last_observed": "2019-08-23T14:07:58.000Z", "modified": "2019-08-23T14:07:58.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDc6NTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNzo1OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:07:58 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:07:58 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:07:55.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:07:55.000Z", "id": "observed-data--70d7f844-026f-4c5c-9203-c9e37c56af6b", "last_observed": "2019-08-23T14:07:55.000Z", "modified": "2019-08-23T14:07:55.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDc6NTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNzo1NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:07:55 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:07:55 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:07:52.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:07:52.000Z", "id": "observed-data--512d057f-cce9-43cd-a4c2-7d6f0dc83e1a", "last_observed": "2019-08-23T14:07:52.000Z", "modified": "2019-08-23T14:07:52.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDc6NTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNzo1MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:07:52 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:07:52 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:07:49.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:07:49.000Z", "id": "observed-data--051741ca-d576-426c-917b-5e9a12dbc9dd", "last_observed": "2019-08-23T14:07:49.000Z", "modified": "2019-08-23T14:07:49.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDc6NDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNzo0OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:07:49 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:07:49 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:07:46.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:07:46.000Z", "id": "observed-data--bc77b3bb-a53a-420e-8c2d-6cf86df6c81b", "last_observed": "2019-08-23T14:07:46.000Z", "modified": "2019-08-23T14:07:46.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDc6NDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNzo0NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:07:46 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:07:46 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:07:42.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:07:42.000Z", "id": "observed-data--7521f019-21d0-44e4-83d7-b8c3e04aba21", "last_observed": "2019-08-23T14:07:42.000Z", "modified": "2019-08-23T14:07:42.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDc6NDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNzo0MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:07:42 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:07:42 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:07:39.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:07:39.000Z", "id": "observed-data--41ee5a23-d648-4a7f-8106-acd321b63cd1", "last_observed": "2019-08-23T14:07:39.000Z", "modified": "2019-08-23T14:07:39.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDc6MzkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNzozOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:07:39 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:07:39 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:07:36.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:07:36.000Z", "id": "observed-data--ebd03c57-40eb-438f-bf2d-92a2a1417655", "last_observed": "2019-08-23T14:07:36.000Z", "modified": "2019-08-23T14:07:36.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDc6MzYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNzozNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:07:36 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:07:36 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:07:33.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:07:33.000Z", "id": "observed-data--5439ced4-fc00-4fe6-86ca-25e6eeabd6f0", "last_observed": "2019-08-23T14:07:33.000Z", "modified": "2019-08-23T14:07:33.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDc6MzMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNzozMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:07:33 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:07:33 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:07:30.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:07:30.000Z", "id": "observed-data--b13a27a7-e2c8-4b35-9658-2dcbffb4a402", "last_observed": "2019-08-23T14:07:30.000Z", "modified": "2019-08-23T14:07:30.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDc6MzAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNzozMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:07:30 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:07:30 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:07:27.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:07:27.000Z", "id": "observed-data--20d042d3-6413-4ef0-9ef7-db3e845f6c84", "last_observed": "2019-08-23T14:07:27.000Z", "modified": "2019-08-23T14:07:27.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDc6MjcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNzoyNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:07:27 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:07:27 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:07:24.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:07:24.000Z", "id": "observed-data--a902b7ee-dd34-4e11-b243-bf67444b4c34", "last_observed": "2019-08-23T14:07:24.000Z", "modified": "2019-08-23T14:07:24.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDc6MjQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNzoyNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:07:24 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:07:24 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:07:20.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:07:20.000Z", "id": "observed-data--8282b475-d12f-4a08-8302-cb8142fa6ce1", "last_observed": "2019-08-23T14:07:20.000Z", "modified": "2019-08-23T14:07:20.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDc6MjAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNzoyMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:07:20 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:07:20 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:07:17.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:07:17.000Z", "id": "observed-data--89402120-0f17-480b-9265-101163ba499f", "last_observed": "2019-08-23T14:07:17.000Z", "modified": "2019-08-23T14:07:17.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDc6MTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNzoxNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:07:17 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:07:17 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:07:14.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:07:14.000Z", "id": "observed-data--50917157-6f44-4268-aa1d-db560d1972da", "last_observed": "2019-08-23T14:07:14.000Z", "modified": "2019-08-23T14:07:14.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDc6MTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNzoxNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:07:14 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:07:14 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:07:11.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:07:11.000Z", "id": "observed-data--1f728470-0d01-4a69-ae2a-4fa49d0637eb", "last_observed": "2019-08-23T14:07:11.000Z", "modified": "2019-08-23T14:07:11.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDc6MTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNzoxMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:07:11 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:07:11 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:07:08.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:07:08.000Z", "id": "observed-data--9c0a9c51-079c-4643-b730-4244338982c3", "last_observed": "2019-08-23T14:07:08.000Z", "modified": "2019-08-23T14:07:08.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDc6MDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNzowOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:07:08 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:07:08 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:07:05.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:07:05.000Z", "id": "observed-data--b9df03e1-164a-489a-8607-affeb93988a6", "last_observed": "2019-08-23T14:07:05.000Z", "modified": "2019-08-23T14:07:05.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDc6MDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNzowNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:07:05 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:07:05 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:07:01.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:07:01.000Z", "id": "observed-data--d7653eef-8c37-4e1a-b0da-0bca6ff41e8f", "last_observed": "2019-08-23T14:07:01.000Z", "modified": "2019-08-23T14:07:01.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDc6MDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNzowMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:07:01 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:07:01 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:06:58.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:06:58.000Z", "id": "observed-data--cd7ca8df-66b3-4e6d-bd20-b5da1990939a", "last_observed": "2019-08-23T14:06:58.000Z", "modified": "2019-08-23T14:06:58.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDY6NTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNjo1OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:06:58 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:06:58 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:06:55.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:06:55.000Z", "id": "observed-data--2124968e-02be-48a1-9f8e-80ceb24c3c54", "last_observed": "2019-08-23T14:06:55.000Z", "modified": "2019-08-23T14:06:55.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDY6NTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNjo1NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:06:55 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:06:55 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:06:52.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:06:52.000Z", "id": "observed-data--543bc6a1-9d27-4a5a-8171-d5cdfd3576e3", "last_observed": "2019-08-23T14:06:52.000Z", "modified": "2019-08-23T14:06:52.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDY6NTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNjo1MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:06:52 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:06:52 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:06:49.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:06:49.000Z", "id": "observed-data--f9193601-f482-40ba-92df-7ee1532973b8", "last_observed": "2019-08-23T14:06:49.000Z", "modified": "2019-08-23T14:06:49.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDY6NDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNjo0OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:06:49 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:06:49 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:06:46.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:06:46.000Z", "id": "observed-data--e1483d61-0029-48d4-b3c6-f33dd86e2976", "last_observed": "2019-08-23T14:06:46.000Z", "modified": "2019-08-23T14:06:46.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDY6NDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNjo0NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:06:46 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:06:46 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:06:43.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:06:43.000Z", "id": "observed-data--3885f82c-2b94-4a0e-8e2b-7195117a07e5", "last_observed": "2019-08-23T14:06:43.000Z", "modified": "2019-08-23T14:06:43.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDY6NDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNjo0MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:06:43 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:06:43 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:06:39.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:06:39.000Z", "id": "observed-data--8ad47fe7-5966-4e83-bf94-ac644dc244f3", "last_observed": "2019-08-23T14:06:39.000Z", "modified": "2019-08-23T14:06:39.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDY6MzkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNjozOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:06:39 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:06:39 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:06:36.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:06:36.000Z", "id": "observed-data--9f35162f-3da6-4618-9bd6-dd62e9d7bd5f", "last_observed": "2019-08-23T14:06:36.000Z", "modified": "2019-08-23T14:06:36.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDY6MzYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNjozNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:06:36 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:06:36 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:06:33.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:06:33.000Z", "id": "observed-data--5b60d6b8-f7a1-488c-9d23-26e96e94d4a0", "last_observed": "2019-08-23T14:06:33.000Z", "modified": "2019-08-23T14:06:33.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDY6MzMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNjozMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:06:33 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:06:33 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:06:30.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:06:30.000Z", "id": "observed-data--d0cda698-69e1-413c-88b9-bf030b45e4be", "last_observed": "2019-08-23T14:06:30.000Z", "modified": "2019-08-23T14:06:30.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDY6MzAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNjozMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:06:30 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:06:30 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:06:27.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:06:27.000Z", "id": "observed-data--4876e7ea-7305-43ce-b9b1-9e1ecc52f8f2", "last_observed": "2019-08-23T14:06:27.000Z", "modified": "2019-08-23T14:06:27.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDY6MjcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNjoyNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:06:27 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:06:27 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:06:24.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:06:24.000Z", "id": "observed-data--5cdfadc0-1215-4404-a772-1d75767eb1ab", "last_observed": "2019-08-23T14:06:24.000Z", "modified": "2019-08-23T14:06:24.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDY6MjQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNjoyNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:06:24 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:06:24 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:06:21.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:06:21.000Z", "id": "observed-data--11328bbd-b1a7-4a0a-89ea-57a537518095", "last_observed": "2019-08-23T14:06:21.000Z", "modified": "2019-08-23T14:06:21.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDY6MjEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNjoyMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:06:21 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:06:21 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:06:17.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:06:17.000Z", "id": "observed-data--df96853b-19d4-4d85-b154-71ca11f0fabf", "last_observed": "2019-08-23T14:06:17.000Z", "modified": "2019-08-23T14:06:17.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDY6MTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNjoxNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:06:17 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:06:17 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:06:14.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:06:14.000Z", "id": "observed-data--28941f8a-af62-4468-a3be-e12e42f02e10", "last_observed": "2019-08-23T14:06:14.000Z", "modified": "2019-08-23T14:06:14.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDY6MTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNjoxNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:06:14 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:06:14 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:06:11.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:06:11.000Z", "id": "observed-data--4e58ddf5-2be0-4b42-9d2f-db39edede46d", "last_observed": "2019-08-23T14:06:11.000Z", "modified": "2019-08-23T14:06:11.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDY6MTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNjoxMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:06:11 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:06:11 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:06:08.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:06:08.000Z", "id": "observed-data--fecb6173-184e-4969-aa87-85c864bbaddb", "last_observed": "2019-08-23T14:06:08.000Z", "modified": "2019-08-23T14:06:08.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDY6MDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNjowOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:06:08 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:06:08 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:06:05.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:06:05.000Z", "id": "observed-data--b1bc491f-4019-4067-b543-91f976c574ee", "last_observed": "2019-08-23T14:06:05.000Z", "modified": "2019-08-23T14:06:05.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDY6MDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNjowNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:06:05 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:06:05 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:06:02.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:06:02.000Z", "id": "observed-data--5dd86760-0744-450e-828b-7c75575c280f", "last_observed": "2019-08-23T14:06:02.000Z", "modified": "2019-08-23T14:06:02.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDY6MDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNjowMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:06:02 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:06:02 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:05:58.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:05:58.000Z", "id": "observed-data--6771e152-832f-48b7-916b-295375dc79b4", "last_observed": "2019-08-23T14:05:58.000Z", "modified": "2019-08-23T14:05:58.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDU6NTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNTo1OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:05:58 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:05:58 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:05:55.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:05:55.000Z", "id": "observed-data--e15c4b74-ef67-497c-8b8a-21f570287ed1", "last_observed": "2019-08-23T14:05:55.000Z", "modified": "2019-08-23T14:05:55.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDU6NTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNTo1NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:05:55 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:05:55 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:05:52.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:05:52.000Z", "id": "observed-data--2c9d5589-c6f6-4564-b060-99704995076f", "last_observed": "2019-08-23T14:05:52.000Z", "modified": "2019-08-23T14:05:52.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDU6NTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNTo1MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:05:52 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:05:52 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:05:49.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:05:49.000Z", "id": "observed-data--9417ebb2-ce60-4536-80f0-5f6fbfa22111", "last_observed": "2019-08-23T14:05:49.000Z", "modified": "2019-08-23T14:05:49.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDU6NDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNTo0OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:05:49 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:05:49 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:05:46.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:05:46.000Z", "id": "observed-data--7c8edd3b-7ffa-4017-961d-217b4a4c9e2c", "last_observed": "2019-08-23T14:05:46.000Z", "modified": "2019-08-23T14:05:46.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDU6NDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNTo0NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:05:46 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:05:46 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:05:43.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:05:43.000Z", "id": "observed-data--e7be22ca-54a0-4c51-ad3a-b0d98497f772", "last_observed": "2019-08-23T14:05:43.000Z", "modified": "2019-08-23T14:05:43.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDU6NDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNTo0MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:05:43 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:05:43 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:05:40.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:05:40.000Z", "id": "observed-data--c5c07a3b-3dd2-4cd3-83cb-b6b6e86d556a", "last_observed": "2019-08-23T14:05:40.000Z", "modified": "2019-08-23T14:05:40.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDU6NDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNTo0MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:05:40 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:05:40 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:05:36.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:05:36.000Z", "id": "observed-data--5fb88599-43dc-4f4a-8c93-37bbb399c3cb", "last_observed": "2019-08-23T14:05:36.000Z", "modified": "2019-08-23T14:05:36.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDU6MzYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNTozNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:05:36 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:05:36 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:05:33.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:05:33.000Z", "id": "observed-data--ce235646-e2ce-402a-8762-d7fc44203de3", "last_observed": "2019-08-23T14:05:33.000Z", "modified": "2019-08-23T14:05:33.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDU6MzMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNTozMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:05:33 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:05:33 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:05:30.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:05:30.000Z", "id": "observed-data--980a8439-e172-44e2-9020-d6a1a7025bee", "last_observed": "2019-08-23T14:05:30.000Z", "modified": "2019-08-23T14:05:30.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDU6MzAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNTozMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:05:30 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:05:30 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:05:27.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:05:27.000Z", "id": "observed-data--6684fc12-05d9-4e68-9abf-879bfd2ff348", "last_observed": "2019-08-23T14:05:27.000Z", "modified": "2019-08-23T14:05:27.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDU6MjcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNToyNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:05:27 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:05:27 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:05:24.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:05:24.000Z", "id": "observed-data--c261e9f9-17f9-4bbd-9e96-6507259cce86", "last_observed": "2019-08-23T14:05:24.000Z", "modified": "2019-08-23T14:05:24.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDU6MjQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNToyNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:05:24 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:05:24 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:05:21.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:05:21.000Z", "id": "observed-data--b7d0d5a3-60eb-4165-92be-21aebc58a384", "last_observed": "2019-08-23T14:05:21.000Z", "modified": "2019-08-23T14:05:21.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDU6MjEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNToyMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:05:21 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:05:21 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:05:18.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:05:18.000Z", "id": "observed-data--219f957f-13b6-4036-838b-46970e5744de", "last_observed": "2019-08-23T14:05:18.000Z", "modified": "2019-08-23T14:05:18.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDU6MTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNToxOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:05:18 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:05:18 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:05:14.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:05:14.000Z", "id": "observed-data--b2275dd0-29ff-4967-8755-52f47746f053", "last_observed": "2019-08-23T14:05:14.000Z", "modified": "2019-08-23T14:05:14.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDU6MTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNToxNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:05:14 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:05:14 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:05:11.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:05:11.000Z", "id": "observed-data--9cc3f1b6-b1cf-422a-b5db-303f19f86bbb", "last_observed": "2019-08-23T14:05:11.000Z", "modified": "2019-08-23T14:05:11.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDU6MTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNToxMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:05:11 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:05:11 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:05:08.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:05:08.000Z", "id": "observed-data--354022ce-54ea-4665-a423-46342e4f448b", "last_observed": "2019-08-23T14:05:08.000Z", "modified": "2019-08-23T14:05:08.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDU6MDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNTowOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:05:08 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:05:08 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:05:05.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:05:05.000Z", "id": "observed-data--87524938-1d3a-47f0-92cd-fc308ef75747", "last_observed": "2019-08-23T14:05:05.000Z", "modified": "2019-08-23T14:05:05.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDU6MDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNTowNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:05:05 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:05:05 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:05:02.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:05:02.000Z", "id": "observed-data--0c99bd22-3e5f-41da-8f28-a8dcbf864e6b", "last_observed": "2019-08-23T14:05:02.000Z", "modified": "2019-08-23T14:05:02.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDU6MDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNTowMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:05:02 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:05:02 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:04:59.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:04:59.000Z", "id": "observed-data--d0d016de-386d-413a-9b00-65f6dfabf96a", "last_observed": "2019-08-23T14:04:59.000Z", "modified": "2019-08-23T14:04:59.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDQ6NTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNDo1OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:04:59 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:04:59 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:04:55.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:04:55.000Z", "id": "observed-data--22d03528-ad79-4acf-8ad1-956ce5aaf0b2", "last_observed": "2019-08-23T14:04:55.000Z", "modified": "2019-08-23T14:04:55.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDQ6NTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNDo1NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:04:55 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:04:55 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:04:52.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:04:52.000Z", "id": "observed-data--d7429a6d-3c88-4ad3-af1c-53330e9c843a", "last_observed": "2019-08-23T14:04:52.000Z", "modified": "2019-08-23T14:04:52.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDQ6NTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNDo1MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:04:52 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:04:52 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:04:49.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:04:49.000Z", "id": "observed-data--3b407d70-21e9-4f9c-b5fb-ad95b9fad4dd", "last_observed": "2019-08-23T14:04:49.000Z", "modified": "2019-08-23T14:04:49.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDQ6NDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNDo0OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:04:49 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:04:49 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:04:46.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:04:46.000Z", "id": "observed-data--a48e7ab4-e0aa-4e06-bd46-4173012fbb21", "last_observed": "2019-08-23T14:04:46.000Z", "modified": "2019-08-23T14:04:46.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDQ6NDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNDo0NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:04:46 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:04:46 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:04:43.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:04:43.000Z", "id": "observed-data--69cbf66b-1dcd-400a-a680-b5d90dc563f4", "last_observed": "2019-08-23T14:04:43.000Z", "modified": "2019-08-23T14:04:43.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDQ6NDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNDo0MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:04:43 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:04:43 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:04:40.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:04:40.000Z", "id": "observed-data--0998fccd-d5b2-4acd-bef3-1b0ddb9382cf", "last_observed": "2019-08-23T14:04:40.000Z", "modified": "2019-08-23T14:04:40.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDQ6NDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNDo0MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:04:40 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:04:40 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:04:37.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:04:37.000Z", "id": "observed-data--d5c6fe0c-1a86-4d92-8bae-edb770e1188e", "last_observed": "2019-08-23T14:04:37.000Z", "modified": "2019-08-23T14:04:37.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDQ6MzcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNDozNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:04:37 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:04:37 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:04:33.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:04:33.000Z", "id": "observed-data--5a66a104-cae8-42e8-a8e7-7031e01f2e8f", "last_observed": "2019-08-23T14:04:33.000Z", "modified": "2019-08-23T14:04:33.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDQ6MzMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNDozMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:04:33 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:04:33 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:04:30.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:04:30.000Z", "id": "observed-data--b4f50b65-8591-4df2-922d-b8de65563a6c", "last_observed": "2019-08-23T14:04:30.000Z", "modified": "2019-08-23T14:04:30.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDQ6MzAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNDozMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:04:30 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:04:30 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:04:27.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:04:27.000Z", "id": "observed-data--29069f30-faf4-4c98-8408-029926944e1d", "last_observed": "2019-08-23T14:04:27.000Z", "modified": "2019-08-23T14:04:27.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDQ6MjcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNDoyNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:04:27 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:04:27 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:04:24.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:04:24.000Z", "id": "observed-data--fec3feca-8564-49f3-aa35-bb1e6ab2e224", "last_observed": "2019-08-23T14:04:24.000Z", "modified": "2019-08-23T14:04:24.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDQ6MjQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNDoyNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:04:24 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:04:24 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:04:21.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:04:21.000Z", "id": "observed-data--8d12c29b-9bf1-494a-9015-9cf8e25890e3", "last_observed": "2019-08-23T14:04:21.000Z", "modified": "2019-08-23T14:04:21.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDQ6MjEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNDoyMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:04:21 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:04:21 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:04:18.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:04:18.000Z", "id": "observed-data--4d72fe98-48dd-4cfd-8e74-a02328bca8a0", "last_observed": "2019-08-23T14:04:18.000Z", "modified": "2019-08-23T14:04:18.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDQ6MTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNDoxOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:04:18 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:04:18 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:04:14.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:04:14.000Z", "id": "observed-data--46b8d31d-40f7-4111-a910-48274607fdce", "last_observed": "2019-08-23T14:04:14.000Z", "modified": "2019-08-23T14:04:14.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDQ6MTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNDoxNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:04:14 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:04:14 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:04:11.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:04:11.000Z", "id": "observed-data--cc0aff0f-7253-4b17-adea-dec0fca943af", "last_observed": "2019-08-23T14:04:11.000Z", "modified": "2019-08-23T14:04:11.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDQ6MTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNDoxMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:04:11 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:04:11 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:04:08.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:04:08.000Z", "id": "observed-data--b076b728-8923-4c2e-b243-dbd24eba85fa", "last_observed": "2019-08-23T14:04:08.000Z", "modified": "2019-08-23T14:04:08.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDQ6MDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNDowOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:04:08 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:04:08 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:04:05.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:04:05.000Z", "id": "observed-data--1e96d57a-40e4-4eba-a4ab-c52db4d7af7f", "last_observed": "2019-08-23T14:04:05.000Z", "modified": "2019-08-23T14:04:05.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDQ6MDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNDowNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:04:05 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:04:05 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:04:02.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:04:02.000Z", "id": "observed-data--2aaddd30-57e4-4719-9f60-30262532e744", "last_observed": "2019-08-23T14:04:02.000Z", "modified": "2019-08-23T14:04:02.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDQ6MDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowNDowMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:04:02 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:04:02 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:03:59.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:03:59.000Z", "id": "observed-data--e8861399-c0d7-4f19-81ee-931c5995adcc", "last_observed": "2019-08-23T14:03:59.000Z", "modified": "2019-08-23T14:03:59.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDM6NTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMzo1OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:03:59 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:03:59 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:03:56.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:03:56.000Z", "id": "observed-data--52073490-bd34-4520-8547-8351881eb9b5", "last_observed": "2019-08-23T14:03:56.000Z", "modified": "2019-08-23T14:03:56.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDM6NTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMzo1NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:03:56 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:03:56 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:03:52.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:03:52.000Z", "id": "observed-data--7dec9a2a-50d4-4622-a263-ff857b179990", "last_observed": "2019-08-23T14:03:52.000Z", "modified": "2019-08-23T14:03:52.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDM6NTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMzo1MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:03:52 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:03:52 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:03:49.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:03:49.000Z", "id": "observed-data--b84c288f-f6b1-4d9e-8c76-bec3c09ea2e3", "last_observed": "2019-08-23T14:03:49.000Z", "modified": "2019-08-23T14:03:49.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDM6NDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMzo0OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:03:49 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:03:49 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:03:46.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:03:46.000Z", "id": "observed-data--b8a83bd1-74e2-479f-aa09-30314e3fd9e5", "last_observed": "2019-08-23T14:03:46.000Z", "modified": "2019-08-23T14:03:46.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDM6NDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMzo0NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:03:46 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:03:46 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:03:43.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:03:43.000Z", "id": "observed-data--d2f39ee4-5322-46df-977f-af02a64f3074", "last_observed": "2019-08-23T14:03:43.000Z", "modified": "2019-08-23T14:03:43.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDM6NDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMzo0MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:03:43 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:03:43 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:03:40.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:03:40.000Z", "id": "observed-data--9e61ae46-eaeb-4187-b2b7-1e503d821307", "last_observed": "2019-08-23T14:03:40.000Z", "modified": "2019-08-23T14:03:40.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDM6NDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMzo0MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:03:40 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:03:40 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:03:37.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:03:37.000Z", "id": "observed-data--576ca830-36a8-458e-b053-0bb5768d59ca", "last_observed": "2019-08-23T14:03:37.000Z", "modified": "2019-08-23T14:03:37.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDM6MzcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMzozNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:03:37 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:03:37 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:03:33.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:03:33.000Z", "id": "observed-data--8609bf42-71ac-4a47-b6b1-1db47d3228e2", "last_observed": "2019-08-23T14:03:33.000Z", "modified": "2019-08-23T14:03:33.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDM6MzMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMzozMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:03:33 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:03:33 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:03:30.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:03:30.000Z", "id": "observed-data--ef9b2bb1-a962-4548-8044-f31f1f68d42f", "last_observed": "2019-08-23T14:03:30.000Z", "modified": "2019-08-23T14:03:30.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDM6MzAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMzozMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:03:30 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:03:30 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:03:27.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:03:27.000Z", "id": "observed-data--f6516ad6-d400-4453-bc0a-49ed30a6ca15", "last_observed": "2019-08-23T14:03:27.000Z", "modified": "2019-08-23T14:03:27.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDM6MjcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMzoyNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:03:27 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:03:27 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:03:24.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:03:24.000Z", "id": "observed-data--3f7de822-994c-4cbd-bd69-cbc43a81cc20", "last_observed": "2019-08-23T14:03:24.000Z", "modified": "2019-08-23T14:03:24.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDM6MjQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMzoyNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:03:24 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:03:24 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:03:21.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:03:21.000Z", "id": "observed-data--f979a2fd-52a4-4295-925b-09e0db58f0bf", "last_observed": "2019-08-23T14:03:21.000Z", "modified": "2019-08-23T14:03:21.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDM6MjEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMzoyMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:03:21 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:03:21 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:03:18.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:03:18.000Z", "id": "observed-data--31e1904d-4559-4046-a17c-06bdc0cb513c", "last_observed": "2019-08-23T14:03:18.000Z", "modified": "2019-08-23T14:03:18.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDM6MTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMzoxOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:03:18 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:03:18 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:03:15.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:03:15.000Z", "id": "observed-data--384c0e3c-b9da-40eb-b442-f3e5b65305db", "last_observed": "2019-08-23T14:03:15.000Z", "modified": "2019-08-23T14:03:15.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDM6MTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMzoxNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:03:15 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:03:15 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:03:11.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:03:11.000Z", "id": "observed-data--c4f4c6c4-611e-495f-bb2a-17df7259f374", "last_observed": "2019-08-23T14:03:11.000Z", "modified": "2019-08-23T14:03:11.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDM6MTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMzoxMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:03:11 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:03:11 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:03:08.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:03:08.000Z", "id": "observed-data--294f0258-343c-4c77-9908-d56cec86d958", "last_observed": "2019-08-23T14:03:08.000Z", "modified": "2019-08-23T14:03:08.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDM6MDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMzowOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:03:08 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:03:08 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:03:05.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:03:05.000Z", "id": "observed-data--2bb43850-4b8b-4b64-86de-645983d2b8a1", "last_observed": "2019-08-23T14:03:05.000Z", "modified": "2019-08-23T14:03:05.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDM6MDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMzowNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:03:05 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:03:05 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:03:02.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:03:02.000Z", "id": "observed-data--5b5e585e-6a61-49a8-902c-1a80f7d18a99", "last_observed": "2019-08-23T14:03:02.000Z", "modified": "2019-08-23T14:03:02.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDM6MDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMzowMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:03:02 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:03:02 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:02:59.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:02:59.000Z", "id": "observed-data--aa1ab52f-25b6-4a34-bd05-3d9d562458a6", "last_observed": "2019-08-23T14:02:59.000Z", "modified": "2019-08-23T14:02:59.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDI6NTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMjo1OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:02:59 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:02:59 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:02:56.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:02:56.000Z", "id": "observed-data--6d4eafae-6a47-4f83-a0ab-ccdcae744328", "last_observed": "2019-08-23T14:02:56.000Z", "modified": "2019-08-23T14:02:56.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDI6NTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMjo1NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:02:56 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:02:56 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:02:53.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:02:53.000Z", "id": "observed-data--f540e339-17f2-46f3-908b-ebe43ec20b47", "last_observed": "2019-08-23T14:02:53.000Z", "modified": "2019-08-23T14:02:53.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDI6NTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMjo1MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:02:53 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:02:53 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:02:49.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:02:49.000Z", "id": "observed-data--f532f0ea-1b7a-4296-9be5-e1a7664e18bf", "last_observed": "2019-08-23T14:02:49.000Z", "modified": "2019-08-23T14:02:49.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDI6NDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMjo0OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:02:49 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:02:49 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:02:46.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:02:46.000Z", "id": "observed-data--bf9ce90b-cb5b-4543-ac28-39e81810fd1d", "last_observed": "2019-08-23T14:02:46.000Z", "modified": "2019-08-23T14:02:46.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDI6NDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMjo0NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:02:46 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:02:46 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:02:43.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:02:43.000Z", "id": "observed-data--dccd342c-ac96-45e1-8d19-5326dd4a7184", "last_observed": "2019-08-23T14:02:43.000Z", "modified": "2019-08-23T14:02:43.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDI6NDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMjo0MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:02:43 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:02:43 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:02:40.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:02:40.000Z", "id": "observed-data--0f04a21c-21f1-40c0-99e7-ccd2953ca0d8", "last_observed": "2019-08-23T14:02:40.000Z", "modified": "2019-08-23T14:02:40.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDI6NDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMjo0MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:02:40 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:02:40 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:02:37.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:02:37.000Z", "id": "observed-data--46ebcfe2-d2ad-473c-bb5e-731d61553cb3", "last_observed": "2019-08-23T14:02:37.000Z", "modified": "2019-08-23T14:02:37.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDI6MzcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMjozNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:02:37 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:02:37 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:02:34.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:02:34.000Z", "id": "observed-data--63d57435-611b-4b31-a8cb-a1ca3753aed4", "last_observed": "2019-08-23T14:02:34.000Z", "modified": "2019-08-23T14:02:34.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDI6MzQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMjozNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:02:34 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:02:34 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:02:30.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:02:30.000Z", "id": "observed-data--f5021bd8-b8a8-45e7-b3b4-a0f5d24a1631", "last_observed": "2019-08-23T14:02:30.000Z", "modified": "2019-08-23T14:02:30.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDI6MzAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMjozMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:02:30 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:02:30 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:02:27.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:02:27.000Z", "id": "observed-data--ffcfc8e6-8b3c-4624-a72a-778624f85bf3", "last_observed": "2019-08-23T14:02:27.000Z", "modified": "2019-08-23T14:02:27.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDI6MjcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMjoyNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:02:27 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:02:27 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:02:24.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:02:24.000Z", "id": "observed-data--ac01a7e0-0a87-4224-b9c5-4d5b981c63d2", "last_observed": "2019-08-23T14:02:24.000Z", "modified": "2019-08-23T14:02:24.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDI6MjQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMjoyNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:02:24 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:02:24 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:02:21.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:02:21.000Z", "id": "observed-data--cc18e047-9ca5-4c0d-b7bd-5fe38b0639c2", "last_observed": "2019-08-23T14:02:21.000Z", "modified": "2019-08-23T14:02:21.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDI6MjEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMjoyMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:02:21 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:02:21 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:02:18.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:02:18.000Z", "id": "observed-data--26eaea06-cecc-4a2d-a0b7-c8f7f323a148", "last_observed": "2019-08-23T14:02:18.000Z", "modified": "2019-08-23T14:02:18.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDI6MTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMjoxOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:02:18 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:02:18 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:02:15.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:02:15.000Z", "id": "observed-data--d03fb983-4114-4c17-b723-940a955cf3ef", "last_observed": "2019-08-23T14:02:15.000Z", "modified": "2019-08-23T14:02:15.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDI6MTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMjoxNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:02:15 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:02:15 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:02:12.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:02:12.000Z", "id": "observed-data--42a7ad8a-45c5-44fb-9c95-49cadd7cb536", "last_observed": "2019-08-23T14:02:12.000Z", "modified": "2019-08-23T14:02:12.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDI6MTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMjoxMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:02:12 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:02:12 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:02:08.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:02:08.000Z", "id": "observed-data--840d218d-c41d-4d47-ac95-dc0f29345b41", "last_observed": "2019-08-23T14:02:08.000Z", "modified": "2019-08-23T14:02:08.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDI6MDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMjowOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:02:08 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:02:08 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:02:05.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:02:05.000Z", "id": "observed-data--d7a726b8-05d6-41f4-902f-3e533266b07a", "last_observed": "2019-08-23T14:02:05.000Z", "modified": "2019-08-23T14:02:05.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDI6MDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMjowNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:02:05 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:02:05 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:02:02.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:02:02.000Z", "id": "observed-data--3036a75e-7a46-428d-8bb7-9118298d6843", "last_observed": "2019-08-23T14:02:02.000Z", "modified": "2019-08-23T14:02:02.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDI6MDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMjowMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:02:02 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:02:02 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:01:59.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:01:59.000Z", "id": "observed-data--5a9527cb-c89d-4980-817f-f8428bc9491c", "last_observed": "2019-08-23T14:01:59.000Z", "modified": "2019-08-23T14:01:59.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDE6NTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMTo1OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:01:59 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:01:59 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:01:56.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:01:56.000Z", "id": "observed-data--325d26ba-92ec-4918-a64c-f5a81c9905bd", "last_observed": "2019-08-23T14:01:56.000Z", "modified": "2019-08-23T14:01:56.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDE6NTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMTo1NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:01:56 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:01:56 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:01:53.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:01:53.000Z", "id": "observed-data--a29d31d5-2eb1-4f12-aecb-a05aaeb62615", "last_observed": "2019-08-23T14:01:53.000Z", "modified": "2019-08-23T14:01:53.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDE6NTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMTo1MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:01:53 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:01:53 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:01:49.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:01:49.000Z", "id": "observed-data--82c6b9cf-7863-4838-9808-7886039de8e0", "last_observed": "2019-08-23T14:01:49.000Z", "modified": "2019-08-23T14:01:49.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDE6NDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMTo0OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:01:49 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:01:49 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:01:46.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:01:46.000Z", "id": "observed-data--6295365d-0d75-42e3-ba62-acba24f7bf77", "last_observed": "2019-08-23T14:01:46.000Z", "modified": "2019-08-23T14:01:46.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDE6NDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMTo0NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:01:46 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:01:46 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:01:43.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:01:43.000Z", "id": "observed-data--2776387d-c27d-49cf-a452-64845ec118d3", "last_observed": "2019-08-23T14:01:43.000Z", "modified": "2019-08-23T14:01:43.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDE6NDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMTo0MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:01:43 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:01:43 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:01:40.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:01:40.000Z", "id": "observed-data--f66ee667-4f30-4d8c-a727-20e84599b646", "last_observed": "2019-08-23T14:01:40.000Z", "modified": "2019-08-23T14:01:40.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDE6NDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMTo0MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:01:40 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:01:40 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:01:37.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:01:37.000Z", "id": "observed-data--ce3b92cc-95e1-4632-9c00-8787461ecffc", "last_observed": "2019-08-23T14:01:37.000Z", "modified": "2019-08-23T14:01:37.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDE6MzcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMTozNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:01:37 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:01:37 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:01:34.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:01:34.000Z", "id": "observed-data--d1b6c879-5833-4210-832b-f3e54593dfc3", "last_observed": "2019-08-23T14:01:34.000Z", "modified": "2019-08-23T14:01:34.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDE6MzQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMTozNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:01:34 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:01:34 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:01:31.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:01:31.000Z", "id": "observed-data--e853d0f2-a79e-411d-884a-f50ca371b597", "last_observed": "2019-08-23T14:01:31.000Z", "modified": "2019-08-23T14:01:31.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDE6MzEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMTozMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:01:31 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:01:31 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:01:27.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:01:27.000Z", "id": "observed-data--cc256b74-1d87-4696-9380-24ccd2c6f0d4", "last_observed": "2019-08-23T14:01:27.000Z", "modified": "2019-08-23T14:01:27.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDE6MjcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMToyNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:01:27 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:01:27 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:01:24.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:01:24.000Z", "id": "observed-data--d97e0e4b-0acc-4eb4-8922-3fe4c6b8b280", "last_observed": "2019-08-23T14:01:24.000Z", "modified": "2019-08-23T14:01:24.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDE6MjQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMToyNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:01:24 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:01:24 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:01:21.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:01:21.000Z", "id": "observed-data--4932d632-d11e-468b-aaba-9a0b055b4527", "last_observed": "2019-08-23T14:01:21.000Z", "modified": "2019-08-23T14:01:21.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDE6MjEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMToyMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:01:21 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:01:21 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:01:18.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:01:18.000Z", "id": "observed-data--2f2e60e9-be9d-4ba3-96cb-6e140ae18593", "last_observed": "2019-08-23T14:01:18.000Z", "modified": "2019-08-23T14:01:18.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDE6MTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMToxOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:01:18 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:01:18 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:01:15.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:01:15.000Z", "id": "observed-data--ea5cdfd2-e850-4a7a-8fcb-af0d051079c9", "last_observed": "2019-08-23T14:01:15.000Z", "modified": "2019-08-23T14:01:15.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDE6MTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMToxNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:01:15 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:01:15 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:01:12.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:01:12.000Z", "id": "observed-data--87352036-d642-47d4-8b66-6a14701b0799", "last_observed": "2019-08-23T14:01:12.000Z", "modified": "2019-08-23T14:01:12.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDE6MTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMToxMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:01:12 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:01:12 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:01:08.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:01:08.000Z", "id": "observed-data--6bfc637c-328b-48a1-88c7-d867f0b2f697", "last_observed": "2019-08-23T14:01:08.000Z", "modified": "2019-08-23T14:01:08.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDE6MDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMTowOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:01:08 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:01:08 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:01:05.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:01:05.000Z", "id": "observed-data--6f07cb6a-a68e-4956-8507-31f27a632cdc", "last_observed": "2019-08-23T14:01:05.000Z", "modified": "2019-08-23T14:01:05.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDE6MDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMTowNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:01:05 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:01:05 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:01:02.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:01:02.000Z", "id": "observed-data--7ba3ae23-8dfd-4032-a30b-ef77bb36fd3e", "last_observed": "2019-08-23T14:01:02.000Z", "modified": "2019-08-23T14:01:02.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDE6MDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMTowMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:01:02 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:01:02 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:00:59.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:00:59.000Z", "id": "observed-data--01c34c4c-1997-4d19-b87d-d5a5754466ea", "last_observed": "2019-08-23T14:00:59.000Z", "modified": "2019-08-23T14:00:59.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDA6NTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMDo1OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:00:59 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:00:59 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:00:56.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:00:56.000Z", "id": "observed-data--dfb001cd-8155-434f-a4b6-f0fff53ce74b", "last_observed": "2019-08-23T14:00:56.000Z", "modified": "2019-08-23T14:00:56.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDA6NTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMDo1NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:00:56 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:00:56 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:00:53.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:00:53.000Z", "id": "observed-data--7f915ccd-2858-4d4f-9d94-92e9c24a0af3", "last_observed": "2019-08-23T14:00:53.000Z", "modified": "2019-08-23T14:00:53.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDA6NTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMDo1MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:00:53 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:00:53 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:00:50.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:00:50.000Z", "id": "observed-data--968a3294-20ba-4955-a65f-f6c4b03a7b78", "last_observed": "2019-08-23T14:00:50.000Z", "modified": "2019-08-23T14:00:50.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDA6NTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMDo1MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:00:50 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:00:50 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:00:46.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:00:46.000Z", "id": "observed-data--7ae1f2af-831b-40c6-9f65-72333db1cb7f", "last_observed": "2019-08-23T14:00:46.000Z", "modified": "2019-08-23T14:00:46.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDA6NDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMDo0NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:00:46 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:00:46 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:00:43.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:00:43.000Z", "id": "observed-data--2679a64c-360c-4669-9e2c-7c50de49674b", "last_observed": "2019-08-23T14:00:43.000Z", "modified": "2019-08-23T14:00:43.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDA6NDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMDo0MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:00:43 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:00:43 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:00:40.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:00:40.000Z", "id": "observed-data--e847c100-7474-48c6-979b-a13d929e4362", "last_observed": "2019-08-23T14:00:40.000Z", "modified": "2019-08-23T14:00:40.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDA6NDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMDo0MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:00:40 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:00:40 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:00:37.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:00:37.000Z", "id": "observed-data--36e98347-afde-410a-8061-76bd1325b646", "last_observed": "2019-08-23T14:00:37.000Z", "modified": "2019-08-23T14:00:37.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDA6MzcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMDozNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:00:37 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:00:37 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:00:34.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:00:34.000Z", "id": "observed-data--2d69624c-1540-4681-8af3-6df64eeaefd5", "last_observed": "2019-08-23T14:00:34.000Z", "modified": "2019-08-23T14:00:34.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDA6MzQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMDozNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:00:34 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:00:34 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:00:31.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:00:31.000Z", "id": "observed-data--a84a5ff0-c8dc-4c38-ba91-602879e8eb18", "last_observed": "2019-08-23T14:00:31.000Z", "modified": "2019-08-23T14:00:31.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDA6MzEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMDozMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:00:31 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:00:31 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:00:28.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:00:28.000Z", "id": "observed-data--660b586f-953e-4f7b-9ca3-463507cb0c43", "last_observed": "2019-08-23T14:00:28.000Z", "modified": "2019-08-23T14:00:28.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDA6MjggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMDoyOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:00:28 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:00:28 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:00:24.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:00:24.000Z", "id": "observed-data--2fd27b06-a9df-4347-98ae-653d1475f8b5", "last_observed": "2019-08-23T14:00:24.000Z", "modified": "2019-08-23T14:00:24.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDA6MjQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMDoyNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:00:24 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:00:24 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:00:21.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:00:21.000Z", "id": "observed-data--3ff5e211-e809-4101-ab6d-e119280c7007", "last_observed": "2019-08-23T14:00:21.000Z", "modified": "2019-08-23T14:00:21.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDA6MjEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMDoyMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:00:21 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:00:21 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:00:18.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:00:18.000Z", "id": "observed-data--2aecb329-a5f4-4b40-8091-9f1ea2807c45", "last_observed": "2019-08-23T14:00:18.000Z", "modified": "2019-08-23T14:00:18.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDA6MTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMDoxOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:00:18 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:00:18 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:00:15.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:00:15.000Z", "id": "observed-data--6113839b-87ca-403e-bcc5-96b5c076d08f", "last_observed": "2019-08-23T14:00:15.000Z", "modified": "2019-08-23T14:00:15.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDA6MTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMDoxNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:00:15 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:00:15 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:00:12.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:00:12.000Z", "id": "observed-data--607afee1-652c-4199-b576-01b1f2f57057", "last_observed": "2019-08-23T14:00:12.000Z", "modified": "2019-08-23T14:00:12.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDA6MTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMDoxMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:00:12 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:00:12 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:00:09.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:00:09.000Z", "id": "observed-data--458ed1fe-3f68-431f-bdff-295c502aa240", "last_observed": "2019-08-23T14:00:09.000Z", "modified": "2019-08-23T14:00:09.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDA6MDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMDowOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:00:09 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:00:09 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:00:05.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:00:05.000Z", "id": "observed-data--02263db7-51f0-4c14-a93c-477512e82e2f", "last_observed": "2019-08-23T14:00:05.000Z", "modified": "2019-08-23T14:00:05.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDA6MDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMDowNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:00:05 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:00:05 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T14:00:02.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T14:00:02.000Z", "id": "observed-data--94654001-984f-4f7a-9033-c58866181b13", "last_observed": "2019-08-23T14:00:02.000Z", "modified": "2019-08-23T14:00:02.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTQ6MDA6MDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDowMDowMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 14:00:02 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 14:00:02 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:59:59.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:59:59.000Z", "id": "observed-data--9c1259b6-687d-4ae8-82b7-03a0c35bab0a", "last_observed": "2019-08-23T13:59:59.000Z", "modified": "2019-08-23T13:59:59.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTk6NTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1OTo1OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:59:59 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:59:59 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:59:56.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:59:56.000Z", "id": "observed-data--51c29370-feac-4b96-b943-e7b16b9afc7b", "last_observed": "2019-08-23T13:59:56.000Z", "modified": "2019-08-23T13:59:56.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTk6NTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1OTo1NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:59:56 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:59:56 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:59:53.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:59:53.000Z", "id": "observed-data--435e5ebb-066f-49d6-a019-ec067e51e7ac", "last_observed": "2019-08-23T13:59:53.000Z", "modified": "2019-08-23T13:59:53.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTk6NTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1OTo1MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:59:53 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:59:53 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:59:50.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:59:50.000Z", "id": "observed-data--79b0b152-61b5-406d-862b-1730f1d82ecc", "last_observed": "2019-08-23T13:59:50.000Z", "modified": "2019-08-23T13:59:50.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTk6NTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1OTo1MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:59:50 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:59:50 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:59:47.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:59:47.000Z", "id": "observed-data--5fcf77b1-2265-40bd-97d9-c0a9cc34b08d", "last_observed": "2019-08-23T13:59:47.000Z", "modified": "2019-08-23T13:59:47.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTk6NDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1OTo0NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:59:47 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:59:47 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:59:43.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:59:43.000Z", "id": "observed-data--daa1df7d-f13a-49e4-b02e-c684f60e2be9", "last_observed": "2019-08-23T13:59:43.000Z", "modified": "2019-08-23T13:59:43.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTk6NDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1OTo0MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:59:43 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:59:43 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:59:40.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:59:40.000Z", "id": "observed-data--02dbc660-e564-4510-bcab-68dc4819a41b", "last_observed": "2019-08-23T13:59:40.000Z", "modified": "2019-08-23T13:59:40.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTk6NDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1OTo0MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:59:40 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:59:40 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:59:37.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:59:37.000Z", "id": "observed-data--6b9a5723-893b-4453-85ba-ec8354958dda", "last_observed": "2019-08-23T13:59:37.000Z", "modified": "2019-08-23T13:59:37.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTk6MzcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1OTozNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:59:37 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:59:37 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:59:34.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:59:34.000Z", "id": "observed-data--c731e0a5-1630-4929-8bed-9336a30870fa", "last_observed": "2019-08-23T13:59:34.000Z", "modified": "2019-08-23T13:59:34.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTk6MzQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1OTozNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:59:34 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:59:34 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:59:31.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:59:31.000Z", "id": "observed-data--dac37868-103a-4be1-b9e6-55da7714e706", "last_observed": "2019-08-23T13:59:31.000Z", "modified": "2019-08-23T13:59:31.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTk6MzEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1OTozMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:59:31 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:59:31 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:59:28.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:59:28.000Z", "id": "observed-data--32cd7bc0-e029-4f2b-80b3-b9b0823ae049", "last_observed": "2019-08-23T13:59:28.000Z", "modified": "2019-08-23T13:59:28.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTk6MjggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1OToyOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:59:28 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:59:28 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:59:25.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:59:25.000Z", "id": "observed-data--9e1f4177-4ca6-491a-a114-7312eafcb919", "last_observed": "2019-08-23T13:59:25.000Z", "modified": "2019-08-23T13:59:25.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTk6MjUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1OToyNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:59:25 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:59:25 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:59:21.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:59:21.000Z", "id": "observed-data--907029e3-b62d-4733-9cad-5a866f95f746", "last_observed": "2019-08-23T13:59:21.000Z", "modified": "2019-08-23T13:59:21.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTk6MjEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1OToyMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:59:21 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:59:21 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:59:18.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:59:18.000Z", "id": "observed-data--a74a0c72-f144-47fd-afde-4ce90a243f9f", "last_observed": "2019-08-23T13:59:18.000Z", "modified": "2019-08-23T13:59:18.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTk6MTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1OToxOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:59:18 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:59:18 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:59:15.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:59:15.000Z", "id": "observed-data--3fc1860d-d841-4625-96de-f1e252d513ae", "last_observed": "2019-08-23T13:59:15.000Z", "modified": "2019-08-23T13:59:15.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTk6MTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1OToxNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:59:15 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:59:15 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:59:12.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:59:12.000Z", "id": "observed-data--bebc2e02-fe77-427c-85c4-1709210cdc25", "last_observed": "2019-08-23T13:59:12.000Z", "modified": "2019-08-23T13:59:12.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTk6MTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1OToxMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:59:12 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:59:12 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:59:09.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:59:09.000Z", "id": "observed-data--d0935a6b-fa91-4953-a873-d9961602d623", "last_observed": "2019-08-23T13:59:09.000Z", "modified": "2019-08-23T13:59:09.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTk6MDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1OTowOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:59:09 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:59:09 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:59:06.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:59:06.000Z", "id": "observed-data--f0055a9a-a021-4edf-b453-955035026e4c", "last_observed": "2019-08-23T13:59:06.000Z", "modified": "2019-08-23T13:59:06.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTk6MDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1OTowNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:59:06 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:59:06 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:59:02.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:59:02.000Z", "id": "observed-data--1a2ad154-f063-485a-b0f9-47fd8148cc12", "last_observed": "2019-08-23T13:59:02.000Z", "modified": "2019-08-23T13:59:02.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTk6MDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1OTowMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:59:02 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:59:02 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:58:59.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:58:59.000Z", "id": "observed-data--691bc36d-4e0e-41f5-b29c-3527edddfe64", "last_observed": "2019-08-23T13:58:59.000Z", "modified": "2019-08-23T13:58:59.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTg6NTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1ODo1OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:58:59 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:58:59 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:58:56.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:58:56.000Z", "id": "observed-data--6f1eeb18-8630-4c4e-85f6-2992859f7348", "last_observed": "2019-08-23T13:58:56.000Z", "modified": "2019-08-23T13:58:56.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTg6NTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1ODo1NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:58:56 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:58:56 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:58:53.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:58:53.000Z", "id": "observed-data--930814f5-5d0f-48b2-aaa8-9591cc5d3dae", "last_observed": "2019-08-23T13:58:53.000Z", "modified": "2019-08-23T13:58:53.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTg6NTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1ODo1MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:58:53 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:58:53 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:58:50.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:58:50.000Z", "id": "observed-data--bcbc253b-2dc8-49e7-8f72-8c935238f2e2", "last_observed": "2019-08-23T13:58:50.000Z", "modified": "2019-08-23T13:58:50.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTg6NTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1ODo1MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:58:50 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:58:50 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:58:47.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:58:47.000Z", "id": "observed-data--b16242f6-24c7-42d7-a6c8-133426064322", "last_observed": "2019-08-23T13:58:47.000Z", "modified": "2019-08-23T13:58:47.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTg6NDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1ODo0NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:58:47 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:58:47 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:58:44.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:58:44.000Z", "id": "observed-data--1cc0a1bb-e466-4b0b-9dc1-b509aa973c44", "last_observed": "2019-08-23T13:58:44.000Z", "modified": "2019-08-23T13:58:44.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTg6NDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1ODo0NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:58:44 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:58:44 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:58:40.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:58:40.000Z", "id": "observed-data--de9df19e-67a2-4362-b642-5c1653e3a3af", "last_observed": "2019-08-23T13:58:40.000Z", "modified": "2019-08-23T13:58:40.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTg6NDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1ODo0MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:58:40 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:58:40 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:58:37.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:58:37.000Z", "id": "observed-data--10b03076-dcb0-4fea-94a6-ca21c59ff150", "last_observed": "2019-08-23T13:58:37.000Z", "modified": "2019-08-23T13:58:37.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTg6MzcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1ODozNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:58:37 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:58:37 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:58:34.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:58:34.000Z", "id": "observed-data--e9f18f42-c49e-4a61-8e41-d0a4cf5b686d", "last_observed": "2019-08-23T13:58:34.000Z", "modified": "2019-08-23T13:58:34.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTg6MzQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1ODozNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:58:34 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:58:34 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:58:31.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:58:31.000Z", "id": "observed-data--248b29f3-9e73-488e-85e3-c4f5d1e181b7", "last_observed": "2019-08-23T13:58:31.000Z", "modified": "2019-08-23T13:58:31.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTg6MzEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1ODozMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:58:31 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:58:31 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:58:28.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:58:28.000Z", "id": "observed-data--fbc47ae2-07da-4fc3-9f08-80912c3fcaa8", "last_observed": "2019-08-23T13:58:28.000Z", "modified": "2019-08-23T13:58:28.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTg6MjggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1ODoyOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:58:28 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:58:28 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:58:25.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:58:25.000Z", "id": "observed-data--7dc67bdc-14ff-450a-beed-3863241f3ab4", "last_observed": "2019-08-23T13:58:25.000Z", "modified": "2019-08-23T13:58:25.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTg6MjUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1ODoyNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:58:25 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:58:25 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:58:22.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:58:22.000Z", "id": "observed-data--1cef60b9-6fa3-4b14-9c8b-36ec763a0406", "last_observed": "2019-08-23T13:58:22.000Z", "modified": "2019-08-23T13:58:22.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTg6MjIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1ODoyMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:58:22 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:58:22 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:58:18.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:58:18.000Z", "id": "observed-data--6bf4fd97-5450-49b3-8be8-864c01cdda9c", "last_observed": "2019-08-23T13:58:18.000Z", "modified": "2019-08-23T13:58:18.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTg6MTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1ODoxOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:58:18 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:58:18 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:58:15.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:58:15.000Z", "id": "observed-data--43440beb-0f54-41b5-b561-764fbe7b70ef", "last_observed": "2019-08-23T13:58:15.000Z", "modified": "2019-08-23T13:58:15.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTg6MTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1ODoxNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:58:15 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:58:15 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:58:12.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:58:12.000Z", "id": "observed-data--468c58c9-3446-4f19-81a4-d0de3234ea8f", "last_observed": "2019-08-23T13:58:12.000Z", "modified": "2019-08-23T13:58:12.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTg6MTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1ODoxMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:58:12 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:58:12 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:58:09.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:58:09.000Z", "id": "observed-data--e7541281-2337-499b-8836-253f71cdbe9a", "last_observed": "2019-08-23T13:58:09.000Z", "modified": "2019-08-23T13:58:09.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTg6MDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1ODowOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:58:09 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:58:09 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:58:06.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:58:06.000Z", "id": "observed-data--55373642-3caf-4256-a57f-d5d12202dabc", "last_observed": "2019-08-23T13:58:06.000Z", "modified": "2019-08-23T13:58:06.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTg6MDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1ODowNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:58:06 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:58:06 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:58:03.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:58:03.000Z", "id": "observed-data--8de559a8-32e5-4cb9-95f2-78fa13be490b", "last_observed": "2019-08-23T13:58:03.000Z", "modified": "2019-08-23T13:58:03.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTg6MDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1ODowMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:58:03 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:58:03 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:58:00.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:58:00.000Z", "id": "observed-data--bfc11be3-e938-4e01-ba79-1b1497e6d1c1", "last_observed": "2019-08-23T13:58:00.000Z", "modified": "2019-08-23T13:58:00.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTg6MDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1ODowMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:58:00 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:58:00 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:57:56.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:57:56.000Z", "id": "observed-data--e8e82ac9-7d77-4cc9-862a-9cec3c6b82c8", "last_observed": "2019-08-23T13:57:56.000Z", "modified": "2019-08-23T13:57:56.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTc6NTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1Nzo1NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:57:56 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:57:56 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:57:53.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:57:53.000Z", "id": "observed-data--17656656-d60d-4459-b246-28d56b1d337c", "last_observed": "2019-08-23T13:57:53.000Z", "modified": "2019-08-23T13:57:53.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTc6NTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1Nzo1MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:57:53 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:57:53 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:57:50.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:57:50.000Z", "id": "observed-data--a5540315-7648-4d21-81d2-1de0c2e8cb72", "last_observed": "2019-08-23T13:57:50.000Z", "modified": "2019-08-23T13:57:50.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTc6NTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1Nzo1MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:57:50 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:57:50 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:57:47.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:57:47.000Z", "id": "observed-data--cb5727e9-950e-4992-ba71-165a3f910ca3", "last_observed": "2019-08-23T13:57:47.000Z", "modified": "2019-08-23T13:57:47.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTc6NDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1Nzo0NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:57:47 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:57:47 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:57:44.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:57:44.000Z", "id": "observed-data--a98dd309-5f38-47a9-b24c-500c07685d9c", "last_observed": "2019-08-23T13:57:44.000Z", "modified": "2019-08-23T13:57:44.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTc6NDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1Nzo0NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:57:44 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:57:44 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:57:41.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:57:41.000Z", "id": "observed-data--62631831-6462-4aa1-a224-4319598d9dca", "last_observed": "2019-08-23T13:57:41.000Z", "modified": "2019-08-23T13:57:41.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTc6NDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1Nzo0MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:57:41 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:57:41 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:57:37.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:57:37.000Z", "id": "observed-data--70bfcaa9-2c6f-43dd-9906-bb2a5c185f6c", "last_observed": "2019-08-23T13:57:37.000Z", "modified": "2019-08-23T13:57:37.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTc6MzcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NzozNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:57:37 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:57:37 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:57:34.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:57:34.000Z", "id": "observed-data--c65d22be-673d-4045-bc5b-1f4ab56ffe88", "last_observed": "2019-08-23T13:57:34.000Z", "modified": "2019-08-23T13:57:34.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTc6MzQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NzozNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:57:34 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:57:34 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:57:31.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:57:31.000Z", "id": "observed-data--18e6f3f3-5f4f-492b-b7d3-bdc9ee02ea28", "last_observed": "2019-08-23T13:57:31.000Z", "modified": "2019-08-23T13:57:31.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTc6MzEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NzozMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:57:31 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:57:31 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:57:28.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:57:28.000Z", "id": "observed-data--b140832d-4c05-46f1-8ec3-0f928371ac78", "last_observed": "2019-08-23T13:57:28.000Z", "modified": "2019-08-23T13:57:28.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTc6MjggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NzoyOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:57:28 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:57:28 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:57:25.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:57:25.000Z", "id": "observed-data--2cc2ae9d-d0b7-44dd-8792-873a96454dcb", "last_observed": "2019-08-23T13:57:25.000Z", "modified": "2019-08-23T13:57:25.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTc6MjUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NzoyNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:57:25 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:57:25 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:57:22.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:57:22.000Z", "id": "observed-data--e4ec2022-c450-450b-bcd5-d50c1ddd4f0a", "last_observed": "2019-08-23T13:57:22.000Z", "modified": "2019-08-23T13:57:22.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTc6MjIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NzoyMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:57:22 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:57:22 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:57:19.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:57:19.000Z", "id": "observed-data--0e75e6a4-08eb-4757-81de-7c0daa6fe533", "last_observed": "2019-08-23T13:57:19.000Z", "modified": "2019-08-23T13:57:19.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTc6MTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NzoxOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:57:19 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:57:19 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:57:15.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:57:15.000Z", "id": "observed-data--4fe34365-cf8a-4c9b-ad72-db4859461a19", "last_observed": "2019-08-23T13:57:15.000Z", "modified": "2019-08-23T13:57:15.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTc6MTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NzoxNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:57:15 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:57:15 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:57:12.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:57:12.000Z", "id": "observed-data--03b52099-6dea-4b5d-9ff1-ab118c1a649a", "last_observed": "2019-08-23T13:57:12.000Z", "modified": "2019-08-23T13:57:12.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTc6MTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NzoxMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:57:12 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:57:12 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:57:09.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:57:09.000Z", "id": "observed-data--17391bcc-fb4e-441b-8333-a323c2d13287", "last_observed": "2019-08-23T13:57:09.000Z", "modified": "2019-08-23T13:57:09.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTc6MDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NzowOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:57:09 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:57:09 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:57:06.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:57:06.000Z", "id": "observed-data--0d44c723-f8be-40fa-97b1-0b8ca3a34e12", "last_observed": "2019-08-23T13:57:06.000Z", "modified": "2019-08-23T13:57:06.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTc6MDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NzowNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:57:06 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:57:06 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:57:03.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:57:03.000Z", "id": "observed-data--b281be3f-1fa0-4e64-838d-3964ce2b1678", "last_observed": "2019-08-23T13:57:03.000Z", "modified": "2019-08-23T13:57:03.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTc6MDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NzowMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:57:03 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:57:03 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:57:00.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:57:00.000Z", "id": "observed-data--e3646a7b-9ede-4575-845d-a4320c019ee3", "last_observed": "2019-08-23T13:57:00.000Z", "modified": "2019-08-23T13:57:00.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTc6MDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NzowMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:57:00 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:57:00 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:56:57.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:56:57.000Z", "id": "observed-data--267842c7-1cd9-4734-8570-5733c08f4aa6", "last_observed": "2019-08-23T13:56:57.000Z", "modified": "2019-08-23T13:56:57.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTY6NTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1Njo1NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:56:57 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:56:57 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:56:53.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:56:53.000Z", "id": "observed-data--a1cce3cf-50b0-475e-9ce3-d5d07c44a780", "last_observed": "2019-08-23T13:56:53.000Z", "modified": "2019-08-23T13:56:53.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTY6NTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1Njo1MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:56:53 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:56:53 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:56:50.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:56:50.000Z", "id": "observed-data--6630fa17-a046-4861-a024-42aee226f966", "last_observed": "2019-08-23T13:56:50.000Z", "modified": "2019-08-23T13:56:50.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTY6NTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1Njo1MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:56:50 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:56:50 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:56:47.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:56:47.000Z", "id": "observed-data--a70359e0-a1c2-4999-a374-52fa56c71fb5", "last_observed": "2019-08-23T13:56:47.000Z", "modified": "2019-08-23T13:56:47.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTY6NDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1Njo0NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:56:47 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:56:47 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:56:44.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:56:44.000Z", "id": "observed-data--274f8594-b881-4811-aa65-974a8ed299e7", "last_observed": "2019-08-23T13:56:44.000Z", "modified": "2019-08-23T13:56:44.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTY6NDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1Njo0NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:56:44 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:56:44 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:56:41.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:56:41.000Z", "id": "observed-data--a119d8bc-04e5-40ac-a264-dfbea22be407", "last_observed": "2019-08-23T13:56:41.000Z", "modified": "2019-08-23T13:56:41.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTY6NDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1Njo0MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:56:41 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:56:41 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:56:38.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:56:38.000Z", "id": "observed-data--112fd149-72a2-4728-a7df-a0e81d8034ec", "last_observed": "2019-08-23T13:56:38.000Z", "modified": "2019-08-23T13:56:38.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTY6MzggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NjozOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:56:38 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:56:38 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:56:35.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:56:35.000Z", "id": "observed-data--67d363be-7272-459f-9299-d5c42a2b536b", "last_observed": "2019-08-23T13:56:35.000Z", "modified": "2019-08-23T13:56:35.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTY6MzUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NjozNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:56:35 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:56:35 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:56:31.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:56:31.000Z", "id": "observed-data--1eceeca5-da99-4cf2-b4f8-53caedd2815f", "last_observed": "2019-08-23T13:56:31.000Z", "modified": "2019-08-23T13:56:31.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTY6MzEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NjozMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:56:31 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:56:31 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:56:28.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:56:28.000Z", "id": "observed-data--71289f2b-d97c-4554-b1d8-44528b29251f", "last_observed": "2019-08-23T13:56:28.000Z", "modified": "2019-08-23T13:56:28.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTY6MjggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NjoyOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:56:28 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:56:28 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:56:25.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:56:25.000Z", "id": "observed-data--6423e82a-4b9c-4a9f-913a-a02df9a10349", "last_observed": "2019-08-23T13:56:25.000Z", "modified": "2019-08-23T13:56:25.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTY6MjUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NjoyNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:56:25 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:56:25 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:56:22.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:56:22.000Z", "id": "observed-data--02776828-8e40-4602-9b81-f58b7191ad19", "last_observed": "2019-08-23T13:56:22.000Z", "modified": "2019-08-23T13:56:22.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTY6MjIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NjoyMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:56:22 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:56:22 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:56:19.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:56:19.000Z", "id": "observed-data--79c2ffed-0b09-4c67-a582-232b8797ccd9", "last_observed": "2019-08-23T13:56:19.000Z", "modified": "2019-08-23T13:56:19.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTY6MTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NjoxOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:56:19 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:56:19 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:56:16.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:56:16.000Z", "id": "observed-data--b55232f7-08f2-420d-8439-f2a373769810", "last_observed": "2019-08-23T13:56:16.000Z", "modified": "2019-08-23T13:56:16.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTY6MTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NjoxNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:56:16 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:56:16 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:56:12.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:56:12.000Z", "id": "observed-data--8dcf9d6f-10c1-4b0f-9249-0d054a8b5eb5", "last_observed": "2019-08-23T13:56:12.000Z", "modified": "2019-08-23T13:56:12.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTY6MTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NjoxMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:56:12 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:56:12 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:56:09.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:56:09.000Z", "id": "observed-data--cf0d06f2-245d-4952-a8e5-bb1c33ddbef2", "last_observed": "2019-08-23T13:56:09.000Z", "modified": "2019-08-23T13:56:09.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTY6MDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NjowOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:56:09 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:56:09 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:56:06.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:56:06.000Z", "id": "observed-data--54058ae5-4196-4eb5-bc6c-80584fa74d10", "last_observed": "2019-08-23T13:56:06.000Z", "modified": "2019-08-23T13:56:06.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTY6MDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NjowNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:56:06 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:56:06 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:56:03.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:56:03.000Z", "id": "observed-data--3672f09f-5515-48b6-aff0-2a788daec085", "last_observed": "2019-08-23T13:56:03.000Z", "modified": "2019-08-23T13:56:03.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTY6MDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NjowMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:56:03 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:56:03 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:56:00.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:56:00.000Z", "id": "observed-data--a4261b28-61ad-4ab1-928b-8d8dc292875f", "last_observed": "2019-08-23T13:56:00.000Z", "modified": "2019-08-23T13:56:00.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTY6MDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NjowMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:56:00 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:56:00 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:55:57.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:55:57.000Z", "id": "observed-data--c6a2bca7-4fd4-4443-9132-9cf2131778f3", "last_observed": "2019-08-23T13:55:57.000Z", "modified": "2019-08-23T13:55:57.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTU6NTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NTo1NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:55:57 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:55:57 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:55:54.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:55:54.000Z", "id": "observed-data--addcd092-38b2-49f4-84c4-cc4b84cec180", "last_observed": "2019-08-23T13:55:54.000Z", "modified": "2019-08-23T13:55:54.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTU6NTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NTo1NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:55:54 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:55:54 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:55:50.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:55:50.000Z", "id": "observed-data--f21d5815-dd18-4060-90e9-9e5303530f51", "last_observed": "2019-08-23T13:55:50.000Z", "modified": "2019-08-23T13:55:50.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTU6NTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NTo1MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:55:50 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:55:50 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:55:47.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:55:47.000Z", "id": "observed-data--629b344d-c689-4e42-9c62-ab951896e60a", "last_observed": "2019-08-23T13:55:47.000Z", "modified": "2019-08-23T13:55:47.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTU6NDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NTo0NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:55:47 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:55:47 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:55:44.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:55:44.000Z", "id": "observed-data--dd639662-f1d3-46a3-a5ce-20c5e2e4e566", "last_observed": "2019-08-23T13:55:44.000Z", "modified": "2019-08-23T13:55:44.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTU6NDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NTo0NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:55:44 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:55:44 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:55:41.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:55:41.000Z", "id": "observed-data--6c571b15-8799-4808-a640-0539949aac1c", "last_observed": "2019-08-23T13:55:41.000Z", "modified": "2019-08-23T13:55:41.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTU6NDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NTo0MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:55:41 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:55:41 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:55:38.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:55:38.000Z", "id": "observed-data--3e2790ca-e984-4ccc-982a-13c815f0838f", "last_observed": "2019-08-23T13:55:38.000Z", "modified": "2019-08-23T13:55:38.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTU6MzggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NTozOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:55:38 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:55:38 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:55:35.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:55:35.000Z", "id": "observed-data--879a3462-2404-441f-88f2-d523c5043642", "last_observed": "2019-08-23T13:55:35.000Z", "modified": "2019-08-23T13:55:35.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTU6MzUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NTozNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:55:35 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:55:35 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:55:32.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:55:32.000Z", "id": "observed-data--931b5ea6-65a8-44bb-a4f2-501c73c6fbd2", "last_observed": "2019-08-23T13:55:32.000Z", "modified": "2019-08-23T13:55:32.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTU6MzIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NTozMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:55:32 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:55:32 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:55:28.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:55:28.000Z", "id": "observed-data--13663bfa-8349-4cb4-a0c3-0083b2989016", "last_observed": "2019-08-23T13:55:28.000Z", "modified": "2019-08-23T13:55:28.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTU6MjggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NToyOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:55:28 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:55:28 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:55:25.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:55:25.000Z", "id": "observed-data--ca36b1d7-eb5b-4683-a4bf-52ebd0ae39ae", "last_observed": "2019-08-23T13:55:25.000Z", "modified": "2019-08-23T13:55:25.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTU6MjUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NToyNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:55:25 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:55:25 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:55:22.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:55:22.000Z", "id": "observed-data--8e51fdf1-777b-4f93-bebb-84c86795297d", "last_observed": "2019-08-23T13:55:22.000Z", "modified": "2019-08-23T13:55:22.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTU6MjIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NToyMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:55:22 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:55:22 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:55:19.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:55:19.000Z", "id": "observed-data--b51c7951-7392-4deb-a3ca-7ed75cfb2301", "last_observed": "2019-08-23T13:55:19.000Z", "modified": "2019-08-23T13:55:19.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTU6MTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NToxOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:55:19 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:55:19 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:55:16.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:55:16.000Z", "id": "observed-data--3b1d68b5-3f85-4ebc-a555-7e24cedfe14f", "last_observed": "2019-08-23T13:55:16.000Z", "modified": "2019-08-23T13:55:16.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTU6MTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NToxNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:55:16 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:55:16 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:55:13.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:55:13.000Z", "id": "observed-data--6677559c-6aa0-423e-a1d8-eca5ac3fa4e3", "last_observed": "2019-08-23T13:55:13.000Z", "modified": "2019-08-23T13:55:13.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTU6MTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NToxMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:55:13 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:55:13 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:55:09.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:55:09.000Z", "id": "observed-data--d46750f9-ea6b-4883-ac7a-1136f0c5e098", "last_observed": "2019-08-23T13:55:09.000Z", "modified": "2019-08-23T13:55:09.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTU6MDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NTowOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:55:09 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:55:09 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:55:06.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:55:06.000Z", "id": "observed-data--13393c01-99e5-43f0-8910-a03d0eda000b", "last_observed": "2019-08-23T13:55:06.000Z", "modified": "2019-08-23T13:55:06.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTU6MDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NTowNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:55:06 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:55:06 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:55:03.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:55:03.000Z", "id": "observed-data--a40db410-f2a3-4971-bc16-8f5475773272", "last_observed": "2019-08-23T13:55:03.000Z", "modified": "2019-08-23T13:55:03.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTU6MDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NTowMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:55:03 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:55:03 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:55:00.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:55:00.000Z", "id": "observed-data--2afb5453-aabf-4656-8b34-6dede25ac2f7", "last_observed": "2019-08-23T13:55:00.000Z", "modified": "2019-08-23T13:55:00.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTU6MDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NTowMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:55:00 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:55:00 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:54:57.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:54:57.000Z", "id": "observed-data--83433d56-f4a2-4934-8bad-d839eb3e605e", "last_observed": "2019-08-23T13:54:57.000Z", "modified": "2019-08-23T13:54:57.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTQ6NTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NDo1NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:54:57 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:54:57 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:54:54.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:54:54.000Z", "id": "observed-data--9426b544-7150-46f9-a9f3-a521293c850a", "last_observed": "2019-08-23T13:54:54.000Z", "modified": "2019-08-23T13:54:54.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTQ6NTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NDo1NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:54:54 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:54:54 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:54:51.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:54:51.000Z", "id": "observed-data--f738a6e8-7a63-4608-ad33-241749a9e2c0", "last_observed": "2019-08-23T13:54:51.000Z", "modified": "2019-08-23T13:54:51.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTQ6NTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NDo1MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:54:51 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:54:51 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:54:47.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:54:47.000Z", "id": "observed-data--1c8ec035-254e-4cf5-b9fb-d87ec857ca97", "last_observed": "2019-08-23T13:54:47.000Z", "modified": "2019-08-23T13:54:47.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTQ6NDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NDo0NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:54:47 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:54:47 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:54:44.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:54:44.000Z", "id": "observed-data--68f4c672-2b11-45a5-8175-25c0a420472b", "last_observed": "2019-08-23T13:54:44.000Z", "modified": "2019-08-23T13:54:44.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTQ6NDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NDo0NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:54:44 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:54:44 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:54:41.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:54:41.000Z", "id": "observed-data--7d6d1ff3-0de0-4910-9dcf-e73ddd2230ea", "last_observed": "2019-08-23T13:54:41.000Z", "modified": "2019-08-23T13:54:41.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTQ6NDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NDo0MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:54:41 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:54:41 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:54:38.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:54:38.000Z", "id": "observed-data--293913ac-bf55-494b-8ad9-c81a55470600", "last_observed": "2019-08-23T13:54:38.000Z", "modified": "2019-08-23T13:54:38.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTQ6MzggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NDozOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:54:38 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:54:38 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:54:35.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:54:35.000Z", "id": "observed-data--80b4f891-8d8a-4fd5-b46b-bf8e1433e5fe", "last_observed": "2019-08-23T13:54:35.000Z", "modified": "2019-08-23T13:54:35.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTQ6MzUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NDozNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:54:35 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:54:35 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:54:32.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:54:32.000Z", "id": "observed-data--3f212568-13a1-4691-a566-2957def19db1", "last_observed": "2019-08-23T13:54:32.000Z", "modified": "2019-08-23T13:54:32.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTQ6MzIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NDozMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:54:32 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:54:32 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:54:29.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:54:29.000Z", "id": "observed-data--e3b6bbc0-a511-4eac-ba0d-ba40f01997fd", "last_observed": "2019-08-23T13:54:29.000Z", "modified": "2019-08-23T13:54:29.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTQ6MjkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NDoyOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:54:29 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:54:29 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:54:25.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:54:25.000Z", "id": "observed-data--9fd451c7-48dd-497f-b71c-25601b88d1a3", "last_observed": "2019-08-23T13:54:25.000Z", "modified": "2019-08-23T13:54:25.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTQ6MjUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NDoyNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:54:25 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:54:25 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:54:22.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:54:22.000Z", "id": "observed-data--dbb617e9-ed3e-4f40-82e9-cc4f11da0107", "last_observed": "2019-08-23T13:54:22.000Z", "modified": "2019-08-23T13:54:22.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTQ6MjIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NDoyMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:54:22 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:54:22 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:54:19.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:54:19.000Z", "id": "observed-data--3a940d2a-94e0-4582-8f26-b6c3072bc8bf", "last_observed": "2019-08-23T13:54:19.000Z", "modified": "2019-08-23T13:54:19.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTQ6MTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NDoxOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:54:19 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:54:19 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:54:16.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:54:16.000Z", "id": "observed-data--beccc84f-86ea-4d5e-8941-918eee8d685f", "last_observed": "2019-08-23T13:54:16.000Z", "modified": "2019-08-23T13:54:16.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTQ6MTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NDoxNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:54:16 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:54:16 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:54:13.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:54:13.000Z", "id": "observed-data--c62fe63d-d3ce-4f49-9e1b-6fa37c2ca2ae", "last_observed": "2019-08-23T13:54:13.000Z", "modified": "2019-08-23T13:54:13.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTQ6MTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NDoxMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:54:13 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:54:13 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:54:10.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:54:10.000Z", "id": "observed-data--ee293cae-2736-4199-a18a-02061987ab78", "last_observed": "2019-08-23T13:54:10.000Z", "modified": "2019-08-23T13:54:10.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTQ6MTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NDoxMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:54:10 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:54:10 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:54:07.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:54:07.000Z", "id": "observed-data--93baa0f6-7514-4fba-9756-d40f7013d692", "last_observed": "2019-08-23T13:54:07.000Z", "modified": "2019-08-23T13:54:07.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTQ6MDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NDowNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:54:07 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:54:07 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:54:03.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:54:03.000Z", "id": "observed-data--88557cd7-fcbe-4346-b1ec-9ecee99ebfa1", "last_observed": "2019-08-23T13:54:03.000Z", "modified": "2019-08-23T13:54:03.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTQ6MDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NDowMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:54:03 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:54:03 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:54:00.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:54:00.000Z", "id": "observed-data--e081e6b2-96b4-4841-8a08-328c05e74c90", "last_observed": "2019-08-23T13:54:00.000Z", "modified": "2019-08-23T13:54:00.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTQ6MDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1NDowMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:54:00 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:54:00 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:53:57.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:53:57.000Z", "id": "observed-data--7a3041d3-b35c-4223-a3ff-d283f70743cc", "last_observed": "2019-08-23T13:53:57.000Z", "modified": "2019-08-23T13:53:57.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTM6NTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1Mzo1NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:53:57 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:53:57 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:53:54.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:53:54.000Z", "id": "observed-data--c21505f7-c3ac-4ef4-a861-5c1fbd710bf2", "last_observed": "2019-08-23T13:53:54.000Z", "modified": "2019-08-23T13:53:54.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTM6NTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1Mzo1NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:53:54 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:53:54 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:53:51.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:53:51.000Z", "id": "observed-data--946a8276-2015-4bef-a6a7-85aaea6b1581", "last_observed": "2019-08-23T13:53:51.000Z", "modified": "2019-08-23T13:53:51.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTM6NTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1Mzo1MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:53:51 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:53:51 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:53:48.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:53:48.000Z", "id": "observed-data--0ece2bc4-009b-4baa-a5be-9e02a121679d", "last_observed": "2019-08-23T13:53:48.000Z", "modified": "2019-08-23T13:53:48.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTM6NDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1Mzo0OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:53:48 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:53:48 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:53:44.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:53:44.000Z", "id": "observed-data--a39f88dd-1173-49fb-887f-dd5d669c54d5", "last_observed": "2019-08-23T13:53:44.000Z", "modified": "2019-08-23T13:53:44.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTM6NDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1Mzo0NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:53:44 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:53:44 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:53:41.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:53:41.000Z", "id": "observed-data--ce05bab7-7f3c-4312-bf70-3d9f4ec2c508", "last_observed": "2019-08-23T13:53:41.000Z", "modified": "2019-08-23T13:53:41.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTM6NDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1Mzo0MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:53:41 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:53:41 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:53:38.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:53:38.000Z", "id": "observed-data--99b19032-d84e-41ba-aebc-c4be2e02800a", "last_observed": "2019-08-23T13:53:38.000Z", "modified": "2019-08-23T13:53:38.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTM6MzggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MzozOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:53:38 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:53:38 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:53:35.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:53:35.000Z", "id": "observed-data--275d0462-26be-4ddf-85b6-3a21b567af94", "last_observed": "2019-08-23T13:53:35.000Z", "modified": "2019-08-23T13:53:35.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTM6MzUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MzozNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:53:35 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:53:35 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:53:32.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:53:32.000Z", "id": "observed-data--0a4753ba-4606-4bf6-b228-1ed50c002bc3", "last_observed": "2019-08-23T13:53:32.000Z", "modified": "2019-08-23T13:53:32.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTM6MzIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MzozMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:53:32 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:53:32 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:53:29.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:53:29.000Z", "id": "observed-data--4f02ccc2-6c8a-421b-ba28-1fb80fc20af2", "last_observed": "2019-08-23T13:53:29.000Z", "modified": "2019-08-23T13:53:29.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTM6MjkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MzoyOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:53:29 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:53:29 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:53:26.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:53:26.000Z", "id": "observed-data--689cb67b-e476-412f-babc-d1eed49e66d7", "last_observed": "2019-08-23T13:53:26.000Z", "modified": "2019-08-23T13:53:26.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTM6MjYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MzoyNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:53:26 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:53:26 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:53:22.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:53:22.000Z", "id": "observed-data--dbe79f6f-d269-498d-8ad8-a1bc31c2e1ac", "last_observed": "2019-08-23T13:53:22.000Z", "modified": "2019-08-23T13:53:22.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTM6MjIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MzoyMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:53:22 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:53:22 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:53:19.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:53:19.000Z", "id": "observed-data--f8928b22-2ea5-4cd6-b8f7-1e238697dc1f", "last_observed": "2019-08-23T13:53:19.000Z", "modified": "2019-08-23T13:53:19.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTM6MTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MzoxOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:53:19 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:53:19 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:53:16.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:53:16.000Z", "id": "observed-data--2cf6a630-fe52-4e69-8151-eb864a9fda1c", "last_observed": "2019-08-23T13:53:16.000Z", "modified": "2019-08-23T13:53:16.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTM6MTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MzoxNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:53:16 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:53:16 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:53:13.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:53:13.000Z", "id": "observed-data--aec600ad-9ef2-4870-b022-a5ae0f289ca4", "last_observed": "2019-08-23T13:53:13.000Z", "modified": "2019-08-23T13:53:13.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTM6MTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MzoxMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:53:13 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:53:13 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:53:10.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:53:10.000Z", "id": "observed-data--4630735e-044a-4fa5-8142-1152e9a84b6d", "last_observed": "2019-08-23T13:53:10.000Z", "modified": "2019-08-23T13:53:10.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTM6MTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MzoxMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:53:10 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:53:10 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:53:07.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:53:07.000Z", "id": "observed-data--0b2d7846-260f-4e25-9092-bd9dc11e1174", "last_observed": "2019-08-23T13:53:07.000Z", "modified": "2019-08-23T13:53:07.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTM6MDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MzowNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:53:07 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:53:07 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:53:04.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:53:04.000Z", "id": "observed-data--897f2356-7c42-48f8-b680-4cd7c06b75f2", "last_observed": "2019-08-23T13:53:04.000Z", "modified": "2019-08-23T13:53:04.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTM6MDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MzowNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:53:04 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:53:04 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:53:00.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:53:00.000Z", "id": "observed-data--0db0fb4e-73fa-4085-b678-6bbdea52f492", "last_observed": "2019-08-23T13:53:00.000Z", "modified": "2019-08-23T13:53:00.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTM6MDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MzowMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:53:00 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:53:00 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:52:57.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:52:57.000Z", "id": "observed-data--0e39272d-308e-43dd-b850-fc0a08f1e74b", "last_observed": "2019-08-23T13:52:57.000Z", "modified": "2019-08-23T13:52:57.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTI6NTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1Mjo1NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:52:57 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:52:57 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:52:54.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:52:54.000Z", "id": "observed-data--82cd737c-6873-49c3-b0ba-b5b3852b5ed9", "last_observed": "2019-08-23T13:52:54.000Z", "modified": "2019-08-23T13:52:54.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTI6NTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1Mjo1NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:52:54 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:52:54 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:52:51.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:52:51.000Z", "id": "observed-data--7092da89-27c2-4a37-9d28-9874a2788160", "last_observed": "2019-08-23T13:52:51.000Z", "modified": "2019-08-23T13:52:51.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTI6NTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1Mjo1MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:52:51 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:52:51 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:52:48.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:52:48.000Z", "id": "observed-data--9aa7f882-2936-4033-8d3e-658c75c13521", "last_observed": "2019-08-23T13:52:48.000Z", "modified": "2019-08-23T13:52:48.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTI6NDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1Mjo0OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:52:48 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:52:48 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:52:45.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:52:45.000Z", "id": "observed-data--35f6a898-6bbc-46ba-a9ce-3baa19d68713", "last_observed": "2019-08-23T13:52:45.000Z", "modified": "2019-08-23T13:52:45.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTI6NDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1Mjo0NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:52:45 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:52:45 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:52:41.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:52:41.000Z", "id": "observed-data--07d0e1f1-e7e6-4786-b015-7d6361526428", "last_observed": "2019-08-23T13:52:41.000Z", "modified": "2019-08-23T13:52:41.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTI6NDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1Mjo0MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:52:41 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:52:41 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:52:38.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:52:38.000Z", "id": "observed-data--5f49e010-d1d6-4693-8666-45f2029791e0", "last_observed": "2019-08-23T13:52:38.000Z", "modified": "2019-08-23T13:52:38.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTI6MzggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MjozOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:52:38 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:52:38 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:52:35.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:52:35.000Z", "id": "observed-data--3b9945ca-95f2-429f-9841-399a9292524c", "last_observed": "2019-08-23T13:52:35.000Z", "modified": "2019-08-23T13:52:35.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTI6MzUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MjozNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:52:35 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:52:35 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:52:32.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:52:32.000Z", "id": "observed-data--e696f000-4695-40e9-a9bd-d8e701cc66eb", "last_observed": "2019-08-23T13:52:32.000Z", "modified": "2019-08-23T13:52:32.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTI6MzIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MjozMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:52:32 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:52:32 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:52:29.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:52:29.000Z", "id": "observed-data--25bc97c4-ea89-4021-836b-4e705b480bef", "last_observed": "2019-08-23T13:52:29.000Z", "modified": "2019-08-23T13:52:29.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTI6MjkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MjoyOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:52:29 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:52:29 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:52:26.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:52:26.000Z", "id": "observed-data--afa4b38f-3957-4c2f-9809-9021385783e8", "last_observed": "2019-08-23T13:52:26.000Z", "modified": "2019-08-23T13:52:26.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTI6MjYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MjoyNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:52:26 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:52:26 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:52:23.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:52:23.000Z", "id": "observed-data--9a5fd9b7-7a5e-439e-b8be-20033082a14d", "last_observed": "2019-08-23T13:52:23.000Z", "modified": "2019-08-23T13:52:23.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTI6MjMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MjoyMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:52:23 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:52:23 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:52:19.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:52:19.000Z", "id": "observed-data--17ed9826-5cb4-4062-b23b-9255a9f92415", "last_observed": "2019-08-23T13:52:19.000Z", "modified": "2019-08-23T13:52:19.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTI6MTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MjoxOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:52:19 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:52:19 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:52:16.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:52:16.000Z", "id": "observed-data--82a8a88e-efa1-4dd0-88ab-7db46bd3dd58", "last_observed": "2019-08-23T13:52:16.000Z", "modified": "2019-08-23T13:52:16.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTI6MTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MjoxNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:52:16 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:52:16 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:52:13.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:52:13.000Z", "id": "observed-data--4e4f0000-7ae8-4331-82b6-6594641551db", "last_observed": "2019-08-23T13:52:13.000Z", "modified": "2019-08-23T13:52:13.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTI6MTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MjoxMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:52:13 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:52:13 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:52:10.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:52:10.000Z", "id": "observed-data--0f670562-9de6-45fd-8e4c-b088557be19f", "last_observed": "2019-08-23T13:52:10.000Z", "modified": "2019-08-23T13:52:10.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTI6MTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MjoxMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:52:10 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:52:10 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:52:07.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:52:07.000Z", "id": "observed-data--413aa6be-32e0-4842-bf50-20258e56262a", "last_observed": "2019-08-23T13:52:07.000Z", "modified": "2019-08-23T13:52:07.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTI6MDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MjowNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:52:07 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:52:07 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:52:04.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:52:04.000Z", "id": "observed-data--8ea94de3-e54d-4d34-8829-3b03023078fb", "last_observed": "2019-08-23T13:52:04.000Z", "modified": "2019-08-23T13:52:04.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTI6MDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MjowNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:52:04 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:52:04 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:52:00.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:52:00.000Z", "id": "observed-data--2045c230-43a2-4109-948b-faaa2a8172f1", "last_observed": "2019-08-23T13:52:00.000Z", "modified": "2019-08-23T13:52:00.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTI6MDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MjowMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:52:00 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:52:00 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:51:57.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:51:57.000Z", "id": "observed-data--72cccda4-bba2-43b1-bfe4-7ae69d495704", "last_observed": "2019-08-23T13:51:57.000Z", "modified": "2019-08-23T13:51:57.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTE6NTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MTo1NyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:51:57 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:51:57 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:51:54.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:51:54.000Z", "id": "observed-data--955cd111-5dd1-43a5-94ed-7fbf6ae291dd", "last_observed": "2019-08-23T13:51:54.000Z", "modified": "2019-08-23T13:51:54.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTE6NTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MTo1NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:51:54 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:51:54 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:51:51.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:51:51.000Z", "id": "observed-data--2a958ad2-5336-41d7-b821-7df8d64eb5b1", "last_observed": "2019-08-23T13:51:51.000Z", "modified": "2019-08-23T13:51:51.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTE6NTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MTo1MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:51:51 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:51:51 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:51:48.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:51:48.000Z", "id": "observed-data--5d4ae816-397d-40f1-9487-783d6e8d18b5", "last_observed": "2019-08-23T13:51:48.000Z", "modified": "2019-08-23T13:51:48.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTE6NDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MTo0OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:51:48 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:51:48 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:51:45.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:51:45.000Z", "id": "observed-data--413f6ed7-c167-44c3-834b-327779b04bc8", "last_observed": "2019-08-23T13:51:45.000Z", "modified": "2019-08-23T13:51:45.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTE6NDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MTo0NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:51:45 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:51:45 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:51:42.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:51:42.000Z", "id": "observed-data--b8e9c3ad-42ca-44a8-a39c-ca782b110642", "last_observed": "2019-08-23T13:51:42.000Z", "modified": "2019-08-23T13:51:42.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTE6NDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MTo0MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:51:42 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:51:42 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:51:38.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:51:38.000Z", "id": "observed-data--970cd455-6408-44d0-9dbb-a1d0b843236e", "last_observed": "2019-08-23T13:51:38.000Z", "modified": "2019-08-23T13:51:38.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTE6MzggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MTozOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:51:38 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:51:38 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:51:35.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:51:35.000Z", "id": "observed-data--4b36fa69-873c-4cba-b2a5-2567e7013136", "last_observed": "2019-08-23T13:51:35.000Z", "modified": "2019-08-23T13:51:35.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTE6MzUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MTozNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:51:35 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:51:35 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:51:32.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:51:32.000Z", "id": "observed-data--dad6e4f4-36db-43cb-a73c-e75b613b4c24", "last_observed": "2019-08-23T13:51:32.000Z", "modified": "2019-08-23T13:51:32.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTE6MzIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MTozMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:51:32 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:51:32 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:51:29.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:51:29.000Z", "id": "observed-data--7faebfd5-03a6-43c0-83cd-5d8470c89c0e", "last_observed": "2019-08-23T13:51:29.000Z", "modified": "2019-08-23T13:51:29.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTE6MjkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MToyOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:51:29 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:51:29 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:51:26.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:51:26.000Z", "id": "observed-data--5b76b11b-c5ca-4b1a-8a01-5f82564b3b39", "last_observed": "2019-08-23T13:51:26.000Z", "modified": "2019-08-23T13:51:26.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTE6MjYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MToyNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:51:26 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:51:26 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:51:23.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:51:23.000Z", "id": "observed-data--d1b10687-b0fe-4d5d-a1ca-f35d02a417c0", "last_observed": "2019-08-23T13:51:23.000Z", "modified": "2019-08-23T13:51:23.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTE6MjMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MToyMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:51:23 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:51:23 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:51:20.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:51:20.000Z", "id": "observed-data--65c0bca0-e195-4d19-ac4e-12ba9f6618e5", "last_observed": "2019-08-23T13:51:20.000Z", "modified": "2019-08-23T13:51:20.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTE6MjAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MToyMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:51:20 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:51:20 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:51:16.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:51:16.000Z", "id": "observed-data--f640d2d5-ca96-4519-9888-116d927fd80b", "last_observed": "2019-08-23T13:51:16.000Z", "modified": "2019-08-23T13:51:16.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTE6MTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MToxNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:51:16 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:51:16 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:51:13.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:51:13.000Z", "id": "observed-data--d17165d7-0003-41e5-95ab-4773192260e6", "last_observed": "2019-08-23T13:51:13.000Z", "modified": "2019-08-23T13:51:13.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTE6MTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MToxMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:51:13 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:51:13 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:51:10.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:51:10.000Z", "id": "observed-data--5989269e-65a6-4204-a027-ff03d42748f5", "last_observed": "2019-08-23T13:51:10.000Z", "modified": "2019-08-23T13:51:10.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTE6MTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MToxMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:51:10 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:51:10 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:51:07.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:51:07.000Z", "id": "observed-data--dfe80b8f-9c14-4fda-bca3-40258daab124", "last_observed": "2019-08-23T13:51:07.000Z", "modified": "2019-08-23T13:51:07.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTE6MDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MTowNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:51:07 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:51:07 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:51:04.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:51:04.000Z", "id": "observed-data--aacd78c0-961f-48c3-bb59-f39acda3a474", "last_observed": "2019-08-23T13:51:04.000Z", "modified": "2019-08-23T13:51:04.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTE6MDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MTowNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:51:04 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:51:04 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:51:01.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:51:01.000Z", "id": "observed-data--55cd6a07-6362-49bd-837a-28056424d96b", "last_observed": "2019-08-23T13:51:01.000Z", "modified": "2019-08-23T13:51:01.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTE6MDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MTowMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:51:01 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:51:01 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:50:58.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:50:58.000Z", "id": "observed-data--8db735c3-3b57-4a09-9e2f-bc3d629fdfb1", "last_observed": "2019-08-23T13:50:58.000Z", "modified": "2019-08-23T13:50:58.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTA6NTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MDo1OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:50:58 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:50:58 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:50:54.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:50:54.000Z", "id": "observed-data--d64d4bac-e2fd-49f7-9c7f-961babf66aad", "last_observed": "2019-08-23T13:50:54.000Z", "modified": "2019-08-23T13:50:54.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTA6NTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MDo1NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:50:54 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:50:54 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:50:51.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:50:51.000Z", "id": "observed-data--fea4b434-fe5f-4ecf-af99-793952fd4eff", "last_observed": "2019-08-23T13:50:51.000Z", "modified": "2019-08-23T13:50:51.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTA6NTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MDo1MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:50:51 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:50:51 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:50:48.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:50:48.000Z", "id": "observed-data--5c6dd773-b703-47ac-9d08-ca19ea429852", "last_observed": "2019-08-23T13:50:48.000Z", "modified": "2019-08-23T13:50:48.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTA6NDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MDo0OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:50:48 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:50:48 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:50:45.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:50:45.000Z", "id": "observed-data--b299cd33-7763-41e8-81fc-0922d5024fdb", "last_observed": "2019-08-23T13:50:45.000Z", "modified": "2019-08-23T13:50:45.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTA6NDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MDo0NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:50:45 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:50:45 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:50:42.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:50:42.000Z", "id": "observed-data--88d08b88-df72-4cde-bc3b-49f32253f9cd", "last_observed": "2019-08-23T13:50:42.000Z", "modified": "2019-08-23T13:50:42.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTA6NDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MDo0MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:50:42 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:50:42 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:50:39.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:50:39.000Z", "id": "observed-data--4f88bf05-4b96-4421-a633-a36a73da84cd", "last_observed": "2019-08-23T13:50:39.000Z", "modified": "2019-08-23T13:50:39.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTA6MzkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MDozOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:50:39 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:50:39 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:50:35.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:50:35.000Z", "id": "observed-data--4a09dfeb-1e28-45d5-803d-34632d01a169", "last_observed": "2019-08-23T13:50:35.000Z", "modified": "2019-08-23T13:50:35.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTA6MzUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MDozNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:50:35 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:50:35 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:50:32.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:50:32.000Z", "id": "observed-data--d1afd94e-b34e-4405-bbd6-e71efed278b0", "last_observed": "2019-08-23T13:50:32.000Z", "modified": "2019-08-23T13:50:32.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTA6MzIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MDozMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:50:32 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:50:32 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:50:29.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:50:29.000Z", "id": "observed-data--0c7834d3-9082-4447-b4ba-6d3dcf822db7", "last_observed": "2019-08-23T13:50:29.000Z", "modified": "2019-08-23T13:50:29.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTA6MjkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MDoyOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:50:29 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:50:29 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:50:26.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:50:26.000Z", "id": "observed-data--cdd98b23-f1ca-4be8-887c-9955b4ab63e9", "last_observed": "2019-08-23T13:50:26.000Z", "modified": "2019-08-23T13:50:26.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTA6MjYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MDoyNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:50:26 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:50:26 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:50:23.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:50:23.000Z", "id": "observed-data--82817dc8-c332-4475-91b6-f6122ef2d228", "last_observed": "2019-08-23T13:50:23.000Z", "modified": "2019-08-23T13:50:23.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTA6MjMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MDoyMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:50:23 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:50:23 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:50:20.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:50:20.000Z", "id": "observed-data--add3939d-695f-41c4-999d-520a3dc17319", "last_observed": "2019-08-23T13:50:20.000Z", "modified": "2019-08-23T13:50:20.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTA6MjAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MDoyMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:50:20 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:50:20 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:50:17.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:50:17.000Z", "id": "observed-data--3c958711-dc1c-452f-8bd3-50e635ead8c1", "last_observed": "2019-08-23T13:50:17.000Z", "modified": "2019-08-23T13:50:17.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTA6MTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MDoxNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:50:17 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:50:17 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:50:13.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:50:13.000Z", "id": "observed-data--032d3552-23e1-477c-a40d-bfc01c535ef8", "last_observed": "2019-08-23T13:50:13.000Z", "modified": "2019-08-23T13:50:13.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTA6MTMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MDoxMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:50:13 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:50:13 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:50:10.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:50:10.000Z", "id": "observed-data--7f06b22d-31ff-455a-a860-d4ad250c447f", "last_observed": "2019-08-23T13:50:10.000Z", "modified": "2019-08-23T13:50:10.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTA6MTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MDoxMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:50:10 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:50:10 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:50:07.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:50:07.000Z", "id": "observed-data--254c5b98-1a9f-4e0b-8dfb-52ce2b1fb468", "last_observed": "2019-08-23T13:50:07.000Z", "modified": "2019-08-23T13:50:07.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTA6MDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MDowNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:50:07 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:50:07 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:50:04.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:50:04.000Z", "id": "observed-data--fb26cc8c-6b61-445b-9c78-fd6cf3a5e301", "last_observed": "2019-08-23T13:50:04.000Z", "modified": "2019-08-23T13:50:04.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTA6MDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MDowNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:50:04 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:50:04 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:50:01.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:50:01.000Z", "id": "observed-data--db65ce08-daee-469c-96de-fe7d2d502572", "last_observed": "2019-08-23T13:50:01.000Z", "modified": "2019-08-23T13:50:01.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NTA6MDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo1MDowMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:50:01 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:50:01 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:49:58.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:49:58.000Z", "id": "observed-data--7b78b82b-cccc-416e-9527-19109246301f", "last_observed": "2019-08-23T13:49:58.000Z", "modified": "2019-08-23T13:49:58.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDk6NTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0OTo1OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:49:58 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:49:58 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:49:54.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:49:54.000Z", "id": "observed-data--120687f5-b14a-48e3-86ce-b9e9d469595a", "last_observed": "2019-08-23T13:49:54.000Z", "modified": "2019-08-23T13:49:54.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDk6NTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0OTo1NCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:49:54 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:49:54 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:49:51.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:49:51.000Z", "id": "observed-data--6d43ef3c-3622-4d6a-8d8a-0fd4bce6dd6f", "last_observed": "2019-08-23T13:49:51.000Z", "modified": "2019-08-23T13:49:51.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDk6NTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0OTo1MSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:49:51 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:49:51 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:49:48.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:49:48.000Z", "id": "observed-data--ed7f8485-0c62-4823-9fe9-17178895ae63", "last_observed": "2019-08-23T13:49:48.000Z", "modified": "2019-08-23T13:49:48.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDk6NDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0OTo0OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:49:48 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:49:48 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:49:45.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:49:45.000Z", "id": "observed-data--7abd4406-626e-46a6-bb39-6b5f5f2b39b2", "last_observed": "2019-08-23T13:49:45.000Z", "modified": "2019-08-23T13:49:45.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDk6NDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0OTo0NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:49:45 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:49:45 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:49:42.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:49:42.000Z", "id": "observed-data--981c00b2-19e4-4073-ac9c-07a9f42dff3d", "last_observed": "2019-08-23T13:49:42.000Z", "modified": "2019-08-23T13:49:42.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDk6NDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0OTo0MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:49:42 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:49:42 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:49:39.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:49:39.000Z", "id": "observed-data--ba8975f9-ebd7-4930-860d-9e66178634ce", "last_observed": "2019-08-23T13:49:39.000Z", "modified": "2019-08-23T13:49:39.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDk6MzkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0OTozOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:49:39 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:49:39 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:49:36.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:49:36.000Z", "id": "observed-data--288be35b-58ba-48e9-9c82-d04be6436966", "last_observed": "2019-08-23T13:49:36.000Z", "modified": "2019-08-23T13:49:36.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDk6MzYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0OTozNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:49:36 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:49:36 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:49:32.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:49:32.000Z", "id": "observed-data--f2d0c392-69a5-4827-afa5-62676246b91e", "last_observed": "2019-08-23T13:49:32.000Z", "modified": "2019-08-23T13:49:32.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDk6MzIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0OTozMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:49:32 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:49:32 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:49:29.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:49:29.000Z", "id": "observed-data--b7ea8f79-1309-4518-86a9-105ad15efabd", "last_observed": "2019-08-23T13:49:29.000Z", "modified": "2019-08-23T13:49:29.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDk6MjkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0OToyOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:49:29 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:49:29 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:49:26.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:49:26.000Z", "id": "observed-data--7797ff62-8e25-4ee9-a371-6c259a822762", "last_observed": "2019-08-23T13:49:26.000Z", "modified": "2019-08-23T13:49:26.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDk6MjYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0OToyNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:49:26 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:49:26 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:49:23.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:49:23.000Z", "id": "observed-data--bfb2799d-15b3-4a32-9749-f7311bcb3486", "last_observed": "2019-08-23T13:49:23.000Z", "modified": "2019-08-23T13:49:23.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDk6MjMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0OToyMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:49:23 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:49:23 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:49:20.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:49:20.000Z", "id": "observed-data--214636f6-da3d-4894-bce5-991806975439", "last_observed": "2019-08-23T13:49:20.000Z", "modified": "2019-08-23T13:49:20.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDk6MjAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0OToyMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:49:20 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:49:20 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:49:17.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:49:17.000Z", "id": "observed-data--c2fc57f7-5f54-40ac-ace4-fe90f5a34450", "last_observed": "2019-08-23T13:49:17.000Z", "modified": "2019-08-23T13:49:17.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDk6MTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0OToxNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:49:17 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:49:17 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:49:14.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:49:14.000Z", "id": "observed-data--92d3d6d3-5e6a-4b15-9c60-6f7e6b37b024", "last_observed": "2019-08-23T13:49:14.000Z", "modified": "2019-08-23T13:49:14.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDk6MTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0OToxNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:49:14 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:49:14 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:49:10.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:49:10.000Z", "id": "observed-data--520cdd60-2552-45ff-9484-fdf95b1ba8a0", "last_observed": "2019-08-23T13:49:10.000Z", "modified": "2019-08-23T13:49:10.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDk6MTAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0OToxMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:49:10 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:49:10 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:49:07.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:49:07.000Z", "id": "observed-data--25644e89-322c-487e-bd41-9d0818b49db0", "last_observed": "2019-08-23T13:49:07.000Z", "modified": "2019-08-23T13:49:07.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDk6MDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0OTowNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:49:07 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:49:07 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:49:04.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:49:04.000Z", "id": "observed-data--131236cd-a4e2-48cc-a5da-c5bd614fc2c1", "last_observed": "2019-08-23T13:49:04.000Z", "modified": "2019-08-23T13:49:04.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDk6MDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0OTowNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:49:04 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:49:04 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:49:01.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:49:01.000Z", "id": "observed-data--ff0599e0-0f17-4982-a54b-9b6135eae377", "last_observed": "2019-08-23T13:49:01.000Z", "modified": "2019-08-23T13:49:01.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDk6MDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0OTowMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:49:01 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:49:01 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:48:58.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:48:58.000Z", "id": "observed-data--230f070b-1ec5-4667-80d8-788a2fea786f", "last_observed": "2019-08-23T13:48:58.000Z", "modified": "2019-08-23T13:48:58.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDg6NTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0ODo1OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:48:58 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:48:58 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:48:55.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:48:55.000Z", "id": "observed-data--6c6cc360-928a-47b6-ab50-1c647c9894ae", "last_observed": "2019-08-23T13:48:55.000Z", "modified": "2019-08-23T13:48:55.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDg6NTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0ODo1NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:48:55 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:48:55 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:48:52.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:48:52.000Z", "id": "observed-data--2c7c358b-1845-47d2-b12e-571e3bcf528a", "last_observed": "2019-08-23T13:48:52.000Z", "modified": "2019-08-23T13:48:52.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDg6NTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0ODo1MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:48:52 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:48:52 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:48:48.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:48:48.000Z", "id": "observed-data--16206c5e-f482-4bb4-9813-d68bf698115a", "last_observed": "2019-08-23T13:48:48.000Z", "modified": "2019-08-23T13:48:48.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDg6NDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0ODo0OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:48:48 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:48:48 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:48:45.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:48:45.000Z", "id": "observed-data--7c0d29ce-1007-4eab-aa4d-0d5a250d3bec", "last_observed": "2019-08-23T13:48:45.000Z", "modified": "2019-08-23T13:48:45.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDg6NDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0ODo0NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:48:45 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:48:45 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:48:42.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:48:42.000Z", "id": "observed-data--5e9c569c-023e-4ba5-86b8-24920d405d67", "last_observed": "2019-08-23T13:48:42.000Z", "modified": "2019-08-23T13:48:42.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDg6NDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0ODo0MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:48:42 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:48:42 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:48:39.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:48:39.000Z", "id": "observed-data--8bd54b75-8603-4be4-8bc0-c1dbb6c587ee", "last_observed": "2019-08-23T13:48:39.000Z", "modified": "2019-08-23T13:48:39.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDg6MzkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0ODozOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:48:39 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:48:39 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:48:36.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:48:36.000Z", "id": "observed-data--dc8f34c5-a9e0-4259-8ea9-a00427b3f9af", "last_observed": "2019-08-23T13:48:36.000Z", "modified": "2019-08-23T13:48:36.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDg6MzYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0ODozNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:48:36 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:48:36 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:48:33.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:48:33.000Z", "id": "observed-data--dd13ca0c-1af5-424d-bd42-62463c105fdd", "last_observed": "2019-08-23T13:48:33.000Z", "modified": "2019-08-23T13:48:33.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDg6MzMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0ODozMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:48:33 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:48:33 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:48:29.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:48:29.000Z", "id": "observed-data--01cabed5-7c05-409f-b950-2e14a0cfe3a7", "last_observed": "2019-08-23T13:48:29.000Z", "modified": "2019-08-23T13:48:29.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDg6MjkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0ODoyOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:48:29 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:48:29 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:48:26.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:48:26.000Z", "id": "observed-data--c1577460-fdd1-48cd-8b0b-6c0c05c1c8d7", "last_observed": "2019-08-23T13:48:26.000Z", "modified": "2019-08-23T13:48:26.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDg6MjYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0ODoyNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:48:26 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:48:26 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:48:23.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:48:23.000Z", "id": "observed-data--8a3c1326-965e-4683-82c8-96e0907d491e", "last_observed": "2019-08-23T13:48:23.000Z", "modified": "2019-08-23T13:48:23.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDg6MjMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0ODoyMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:48:23 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:48:23 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:48:20.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:48:20.000Z", "id": "observed-data--7c17c10a-17ae-4585-b9ce-d835a75e2025", "last_observed": "2019-08-23T13:48:20.000Z", "modified": "2019-08-23T13:48:20.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDg6MjAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0ODoyMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:48:20 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:48:20 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:48:17.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:48:17.000Z", "id": "observed-data--2d760ea4-46a5-46ec-8766-07d2ad24902f", "last_observed": "2019-08-23T13:48:17.000Z", "modified": "2019-08-23T13:48:17.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDg6MTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0ODoxNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:48:17 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:48:17 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:48:14.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:48:14.000Z", "id": "observed-data--07058df4-7cd4-479c-af7f-91252bd62e08", "last_observed": "2019-08-23T13:48:14.000Z", "modified": "2019-08-23T13:48:14.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDg6MTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0ODoxNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:48:14 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:48:14 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:48:11.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:48:11.000Z", "id": "observed-data--2868abe1-04d0-4c03-a7e4-186789d40982", "last_observed": "2019-08-23T13:48:11.000Z", "modified": "2019-08-23T13:48:11.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDg6MTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0ODoxMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:48:11 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:48:11 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:48:07.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:48:07.000Z", "id": "observed-data--711a2a37-0676-4209-aaac-e9d31ef4cecf", "last_observed": "2019-08-23T13:48:07.000Z", "modified": "2019-08-23T13:48:07.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDg6MDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0ODowNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:48:07 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:48:07 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:48:04.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:48:04.000Z", "id": "observed-data--f40f70bc-5d22-429c-8940-074a9f551e45", "last_observed": "2019-08-23T13:48:04.000Z", "modified": "2019-08-23T13:48:04.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDg6MDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0ODowNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:48:04 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:48:04 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:48:01.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:48:01.000Z", "id": "observed-data--34018c2f-2735-4fb4-9945-28d43dfd042e", "last_observed": "2019-08-23T13:48:01.000Z", "modified": "2019-08-23T13:48:01.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDg6MDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0ODowMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:48:01 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:48:01 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:47:58.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:47:58.000Z", "id": "observed-data--7ad75928-d497-49b5-b81c-0de1851ab991", "last_observed": "2019-08-23T13:47:58.000Z", "modified": "2019-08-23T13:47:58.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDc6NTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0Nzo1OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:47:58 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:47:58 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:47:55.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:47:55.000Z", "id": "observed-data--6c1973b3-88fc-482f-9d39-115f1284a2e8", "last_observed": "2019-08-23T13:47:55.000Z", "modified": "2019-08-23T13:47:55.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDc6NTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0Nzo1NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:47:55 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:47:55 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:47:52.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:47:52.000Z", "id": "observed-data--efc29b50-8cd9-47ab-8878-0420e665d5be", "last_observed": "2019-08-23T13:47:52.000Z", "modified": "2019-08-23T13:47:52.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDc6NTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0Nzo1MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:47:52 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:47:52 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:47:48.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:47:48.000Z", "id": "observed-data--3241c80c-7309-4864-b2f0-ff5636c0e8e6", "last_observed": "2019-08-23T13:47:48.000Z", "modified": "2019-08-23T13:47:48.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDc6NDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0Nzo0OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:47:48 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:47:48 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:47:45.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:47:45.000Z", "id": "observed-data--919519d7-ec56-4f8d-8efc-60fb214872ef", "last_observed": "2019-08-23T13:47:45.000Z", "modified": "2019-08-23T13:47:45.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDc6NDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0Nzo0NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:47:45 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:47:45 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:47:42.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:47:42.000Z", "id": "observed-data--76ca9ed2-5285-4e57-a312-c5ffcff79cde", "last_observed": "2019-08-23T13:47:42.000Z", "modified": "2019-08-23T13:47:42.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDc6NDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0Nzo0MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:47:42 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:47:42 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:47:39.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:47:39.000Z", "id": "observed-data--4a1ea169-355d-4621-9757-f7615aac900e", "last_observed": "2019-08-23T13:47:39.000Z", "modified": "2019-08-23T13:47:39.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDc6MzkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NzozOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:47:39 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:47:39 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:47:36.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:47:36.000Z", "id": "observed-data--9bef860a-b5fd-4723-a67b-dfaa2832e531", "last_observed": "2019-08-23T13:47:36.000Z", "modified": "2019-08-23T13:47:36.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDc6MzYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NzozNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:47:36 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:47:36 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:47:33.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:47:33.000Z", "id": "observed-data--c8575c56-fb06-49d7-9167-8b4a9ca26977", "last_observed": "2019-08-23T13:47:33.000Z", "modified": "2019-08-23T13:47:33.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDc6MzMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NzozMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:47:33 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:47:33 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:47:30.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:47:30.000Z", "id": "observed-data--2bbb440f-c9ed-4f40-b246-dc6c46f647b7", "last_observed": "2019-08-23T13:47:30.000Z", "modified": "2019-08-23T13:47:30.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDc6MzAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NzozMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:47:30 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:47:30 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:47:26.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:47:26.000Z", "id": "observed-data--e1b30e72-4d9d-463b-9f4f-4dfbbfe5297d", "last_observed": "2019-08-23T13:47:26.000Z", "modified": "2019-08-23T13:47:26.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDc6MjYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NzoyNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:47:26 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:47:26 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:47:23.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:47:23.000Z", "id": "observed-data--6895f3c6-6f84-41ca-8ef5-2f2f3245d405", "last_observed": "2019-08-23T13:47:23.000Z", "modified": "2019-08-23T13:47:23.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDc6MjMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NzoyMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:47:23 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:47:23 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:47:20.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:47:20.000Z", "id": "observed-data--ed3fe0ab-166d-42a5-bf53-c1bd3c566af5", "last_observed": "2019-08-23T13:47:20.000Z", "modified": "2019-08-23T13:47:20.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDc6MjAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NzoyMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:47:20 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:47:20 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:47:17.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:47:17.000Z", "id": "observed-data--99d2ddf0-ac37-42c9-bba6-a08ee7ecd78c", "last_observed": "2019-08-23T13:47:17.000Z", "modified": "2019-08-23T13:47:17.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDc6MTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NzoxNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:47:17 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:47:17 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:47:14.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:47:14.000Z", "id": "observed-data--ce1133ca-a7b5-4509-bc6f-f6c47b05fecb", "last_observed": "2019-08-23T13:47:14.000Z", "modified": "2019-08-23T13:47:14.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDc6MTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NzoxNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:47:14 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:47:14 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:47:11.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:47:11.000Z", "id": "observed-data--3557dc9a-9213-425c-a597-8cc01a2eea73", "last_observed": "2019-08-23T13:47:11.000Z", "modified": "2019-08-23T13:47:11.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDc6MTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NzoxMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:47:11 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:47:11 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:47:07.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:47:07.000Z", "id": "observed-data--f4d26cbc-7005-4e99-9991-df8695c6c4cd", "last_observed": "2019-08-23T13:47:07.000Z", "modified": "2019-08-23T13:47:07.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDc6MDcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NzowNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:47:07 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:47:07 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:47:04.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:47:04.000Z", "id": "observed-data--e14f8835-edfb-44ba-a0ac-1e6bb644de1b", "last_observed": "2019-08-23T13:47:04.000Z", "modified": "2019-08-23T13:47:04.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDc6MDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NzowNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:47:04 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:47:04 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:47:01.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:47:01.000Z", "id": "observed-data--afabccc2-e3aa-474b-98b3-edd8189e4484", "last_observed": "2019-08-23T13:47:01.000Z", "modified": "2019-08-23T13:47:01.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDc6MDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NzowMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:47:01 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:47:01 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:46:58.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:46:58.000Z", "id": "observed-data--3dcd1a06-64cd-4ae0-a4a4-147d637cde92", "last_observed": "2019-08-23T13:46:58.000Z", "modified": "2019-08-23T13:46:58.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDY6NTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0Njo1OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:46:58 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:46:58 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:46:55.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:46:55.000Z", "id": "observed-data--1eb3a7d9-ff31-481d-bc0e-1b879610ed6a", "last_observed": "2019-08-23T13:46:55.000Z", "modified": "2019-08-23T13:46:55.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDY6NTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0Njo1NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:46:55 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:46:55 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:46:52.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:46:52.000Z", "id": "observed-data--98f15c0b-ed38-482d-bffb-017cdea2d9b3", "last_observed": "2019-08-23T13:46:52.000Z", "modified": "2019-08-23T13:46:52.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDY6NTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0Njo1MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:46:52 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:46:52 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:46:49.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:46:49.000Z", "id": "observed-data--dd30c2bb-99f3-48f3-8203-ff6d827deedf", "last_observed": "2019-08-23T13:46:49.000Z", "modified": "2019-08-23T13:46:49.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDY6NDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0Njo0OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:46:49 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:46:49 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:46:45.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:46:45.000Z", "id": "observed-data--80a9b23e-f1bb-4660-83d2-a6899d9f8109", "last_observed": "2019-08-23T13:46:45.000Z", "modified": "2019-08-23T13:46:45.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDY6NDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0Njo0NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:46:45 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:46:45 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:46:42.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:46:42.000Z", "id": "observed-data--c473ebfe-332d-4997-9d9f-4ffaf4de1120", "last_observed": "2019-08-23T13:46:42.000Z", "modified": "2019-08-23T13:46:42.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDY6NDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0Njo0MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:46:42 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:46:42 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:46:39.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:46:39.000Z", "id": "observed-data--b8e8a498-b9ca-422d-858f-b49fa5956bb8", "last_observed": "2019-08-23T13:46:39.000Z", "modified": "2019-08-23T13:46:39.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDY6MzkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NjozOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:46:39 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:46:39 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:46:36.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:46:36.000Z", "id": "observed-data--423c94c6-c0f8-4268-a334-7b85872f1b30", "last_observed": "2019-08-23T13:46:36.000Z", "modified": "2019-08-23T13:46:36.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDY6MzYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NjozNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:46:36 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:46:36 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:46:33.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:46:33.000Z", "id": "observed-data--98b96009-3587-4552-bf3a-46c997008205", "last_observed": "2019-08-23T13:46:33.000Z", "modified": "2019-08-23T13:46:33.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDY6MzMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NjozMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:46:33 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:46:33 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:46:30.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:46:30.000Z", "id": "observed-data--ceb91a1a-e5af-4ca9-994d-b1f19cdb1f2c", "last_observed": "2019-08-23T13:46:30.000Z", "modified": "2019-08-23T13:46:30.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDY6MzAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NjozMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:46:30 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:46:30 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:46:26.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:46:26.000Z", "id": "observed-data--7f41ff2d-ed5e-49e6-a861-df16743c82fb", "last_observed": "2019-08-23T13:46:26.000Z", "modified": "2019-08-23T13:46:26.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDY6MjYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NjoyNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:46:26 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:46:26 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:46:23.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:46:23.000Z", "id": "observed-data--7dbef760-51dd-4b9e-805f-e1b1b3a6a03c", "last_observed": "2019-08-23T13:46:23.000Z", "modified": "2019-08-23T13:46:23.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDY6MjMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NjoyMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:46:23 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:46:23 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:46:20.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:46:20.000Z", "id": "observed-data--25d7de75-d36c-4ea3-9de9-11ddb06bc697", "last_observed": "2019-08-23T13:46:20.000Z", "modified": "2019-08-23T13:46:20.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDY6MjAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NjoyMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:46:20 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:46:20 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:46:17.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:46:17.000Z", "id": "observed-data--1904d79e-26a7-48b6-9d6c-8ae568c81328", "last_observed": "2019-08-23T13:46:17.000Z", "modified": "2019-08-23T13:46:17.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDY6MTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NjoxNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:46:17 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:46:17 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:46:14.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:46:14.000Z", "id": "observed-data--2698dd81-06e4-4899-8120-70b3791d4dd3", "last_observed": "2019-08-23T13:46:14.000Z", "modified": "2019-08-23T13:46:14.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDY6MTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NjoxNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:46:14 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:46:14 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:46:11.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:46:11.000Z", "id": "observed-data--70a00d46-3cd7-4bdc-b9b3-a0c505cea186", "last_observed": "2019-08-23T13:46:11.000Z", "modified": "2019-08-23T13:46:11.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDY6MTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NjoxMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:46:11 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:46:11 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:46:08.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:46:08.000Z", "id": "observed-data--ef6d4b58-88ff-4524-8b3c-63d8ecb46ecd", "last_observed": "2019-08-23T13:46:08.000Z", "modified": "2019-08-23T13:46:08.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDY6MDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NjowOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:46:08 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:46:08 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:46:04.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:46:04.000Z", "id": "observed-data--32630311-c71e-4e04-bc5f-9a5960ba5d7b", "last_observed": "2019-08-23T13:46:04.000Z", "modified": "2019-08-23T13:46:04.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDY6MDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NjowNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:46:04 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:46:04 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:46:01.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:46:01.000Z", "id": "observed-data--6656e6a7-99be-4ad6-bd87-68ea6ac876a4", "last_observed": "2019-08-23T13:46:01.000Z", "modified": "2019-08-23T13:46:01.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDY6MDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NjowMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:46:01 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:46:01 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:45:58.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:45:58.000Z", "id": "observed-data--7bfcd41f-75eb-4e6b-a7d9-6520d16595d4", "last_observed": "2019-08-23T13:45:58.000Z", "modified": "2019-08-23T13:45:58.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDU6NTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NTo1OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:45:58 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:45:58 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:45:55.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:45:55.000Z", "id": "observed-data--8be23d6b-d267-4454-a224-9b7e33a13c79", "last_observed": "2019-08-23T13:45:55.000Z", "modified": "2019-08-23T13:45:55.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDU6NTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NTo1NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:45:55 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:45:55 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:45:52.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:45:52.000Z", "id": "observed-data--2d2c0aac-1c65-49b5-a02f-ec6c39bf18bd", "last_observed": "2019-08-23T13:45:52.000Z", "modified": "2019-08-23T13:45:52.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDU6NTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NTo1MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:45:52 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:45:52 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:45:49.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:45:49.000Z", "id": "observed-data--d53edf2b-0574-455c-9dba-a9de5257191a", "last_observed": "2019-08-23T13:45:49.000Z", "modified": "2019-08-23T13:45:49.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDU6NDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NTo0OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:45:49 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:45:49 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:45:45.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:45:45.000Z", "id": "observed-data--2fa52899-9bf9-4c99-9aa5-f226b1991583", "last_observed": "2019-08-23T13:45:45.000Z", "modified": "2019-08-23T13:45:45.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDU6NDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NTo0NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:45:45 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:45:45 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:45:42.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:45:42.000Z", "id": "observed-data--e0d50eda-411f-42c5-87af-01cbe13f8aa9", "last_observed": "2019-08-23T13:45:42.000Z", "modified": "2019-08-23T13:45:42.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDU6NDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NTo0MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:45:42 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:45:42 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:45:39.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:45:39.000Z", "id": "observed-data--e7fcf18a-0eb2-4d13-800f-cd7691083ade", "last_observed": "2019-08-23T13:45:39.000Z", "modified": "2019-08-23T13:45:39.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDU6MzkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NTozOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:45:39 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:45:39 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:45:36.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:45:36.000Z", "id": "observed-data--9a88a471-95bd-4f13-a89d-b3455b6f4d8e", "last_observed": "2019-08-23T13:45:36.000Z", "modified": "2019-08-23T13:45:36.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDU6MzYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NTozNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:45:36 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:45:36 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:45:33.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:45:33.000Z", "id": "observed-data--4261c953-cc8c-437e-9f42-2695411fafcf", "last_observed": "2019-08-23T13:45:33.000Z", "modified": "2019-08-23T13:45:33.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDU6MzMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NTozMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:45:33 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:45:33 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:45:30.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:45:30.000Z", "id": "observed-data--0e9bd5c3-e4be-4ad9-a228-f7267d082a73", "last_observed": "2019-08-23T13:45:30.000Z", "modified": "2019-08-23T13:45:30.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDU6MzAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NTozMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:45:30 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:45:30 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:45:26.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:45:26.000Z", "id": "observed-data--094ff166-2407-4e03-b9ce-7c4ba1d5d974", "last_observed": "2019-08-23T13:45:26.000Z", "modified": "2019-08-23T13:45:26.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDU6MjYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NToyNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:45:26 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:45:26 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:45:23.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:45:23.000Z", "id": "observed-data--8756d93c-5ed8-4e7c-8ffa-8c434a8372ea", "last_observed": "2019-08-23T13:45:23.000Z", "modified": "2019-08-23T13:45:23.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDU6MjMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NToyMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:45:23 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:45:23 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:45:20.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:45:20.000Z", "id": "observed-data--0eadc82f-1417-4c7d-8ccc-78a0869e30cc", "last_observed": "2019-08-23T13:45:20.000Z", "modified": "2019-08-23T13:45:20.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDU6MjAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NToyMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:45:20 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:45:20 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:45:17.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:45:17.000Z", "id": "observed-data--14f20f59-4ed7-4e97-81f7-a29a2d5e4f22", "last_observed": "2019-08-23T13:45:17.000Z", "modified": "2019-08-23T13:45:17.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDU6MTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NToxNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:45:17 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:45:17 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:45:14.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:45:14.000Z", "id": "observed-data--7ab8db04-0709-46b3-ba49-07ec9d841b51", "last_observed": "2019-08-23T13:45:14.000Z", "modified": "2019-08-23T13:45:14.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDU6MTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NToxNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:45:14 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:45:14 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:45:11.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:45:11.000Z", "id": "observed-data--df282c81-7e39-466e-af27-55e196a7e4fa", "last_observed": "2019-08-23T13:45:11.000Z", "modified": "2019-08-23T13:45:11.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDU6MTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NToxMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:45:11 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:45:11 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:45:08.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:45:08.000Z", "id": "observed-data--176918fa-d7c8-4172-9bba-870feb540767", "last_observed": "2019-08-23T13:45:08.000Z", "modified": "2019-08-23T13:45:08.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDU6MDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NTowOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:45:08 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:45:08 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:45:04.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:45:04.000Z", "id": "observed-data--676acd44-ee56-4a35-bfa8-f0cd9ba63f68", "last_observed": "2019-08-23T13:45:04.000Z", "modified": "2019-08-23T13:45:04.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDU6MDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NTowNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:45:04 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:45:04 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:45:01.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:45:01.000Z", "id": "observed-data--d0198e29-e571-41af-bede-1199d99e47b1", "last_observed": "2019-08-23T13:45:01.000Z", "modified": "2019-08-23T13:45:01.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDU6MDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NTowMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:45:01 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:45:01 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:44:58.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:44:58.000Z", "id": "observed-data--671519dc-f3a1-4ff7-a87d-1899db57b0ec", "last_observed": "2019-08-23T13:44:58.000Z", "modified": "2019-08-23T13:44:58.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDQ6NTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NDo1OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:44:58 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:44:58 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:44:55.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:44:55.000Z", "id": "observed-data--a95f9309-f4fc-40f8-ae67-2d896c9bd1ef", "last_observed": "2019-08-23T13:44:55.000Z", "modified": "2019-08-23T13:44:55.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDQ6NTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NDo1NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:44:55 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:44:55 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:44:52.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:44:52.000Z", "id": "observed-data--4b9d3fa0-f430-4764-9df0-3bdfafc187b8", "last_observed": "2019-08-23T13:44:52.000Z", "modified": "2019-08-23T13:44:52.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDQ6NTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NDo1MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:44:52 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:44:52 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:44:49.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:44:49.000Z", "id": "observed-data--76fae356-e614-48ff-9be9-95a3639496e3", "last_observed": "2019-08-23T13:44:49.000Z", "modified": "2019-08-23T13:44:49.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDQ6NDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NDo0OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:44:49 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:44:49 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:44:45.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:44:45.000Z", "id": "observed-data--33354af6-c74a-401b-8b00-b14e976f8dca", "last_observed": "2019-08-23T13:44:45.000Z", "modified": "2019-08-23T13:44:45.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDQ6NDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NDo0NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:44:45 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:44:45 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:44:42.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:44:42.000Z", "id": "observed-data--8f0c0f47-d064-42bf-b0e9-2175ad99d545", "last_observed": "2019-08-23T13:44:42.000Z", "modified": "2019-08-23T13:44:42.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDQ6NDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NDo0MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:44:42 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:44:42 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:44:39.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:44:39.000Z", "id": "observed-data--8173436d-1c37-4aef-9752-7e0f75d607f0", "last_observed": "2019-08-23T13:44:39.000Z", "modified": "2019-08-23T13:44:39.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDQ6MzkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NDozOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:44:39 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:44:39 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:44:36.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:44:36.000Z", "id": "observed-data--792fac06-5081-4e62-9cea-abcdbaab6e8e", "last_observed": "2019-08-23T13:44:36.000Z", "modified": "2019-08-23T13:44:36.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDQ6MzYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NDozNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:44:36 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:44:36 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:44:33.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:44:33.000Z", "id": "observed-data--78cd4593-a822-4f41-bff7-c7535be88ecc", "last_observed": "2019-08-23T13:44:33.000Z", "modified": "2019-08-23T13:44:33.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDQ6MzMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NDozMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:44:33 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:44:33 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:44:30.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:44:30.000Z", "id": "observed-data--e57885ac-a914-45f4-aeec-096275c39985", "last_observed": "2019-08-23T13:44:30.000Z", "modified": "2019-08-23T13:44:30.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDQ6MzAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NDozMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:44:30 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:44:30 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:44:27.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:44:27.000Z", "id": "observed-data--90d1acc3-17e6-453a-b646-773f193a8e0b", "last_observed": "2019-08-23T13:44:27.000Z", "modified": "2019-08-23T13:44:27.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDQ6MjcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NDoyNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:44:27 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:44:27 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:44:23.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:44:23.000Z", "id": "observed-data--8e6109fd-0ff9-4c64-aa3e-95751bba5c19", "last_observed": "2019-08-23T13:44:23.000Z", "modified": "2019-08-23T13:44:23.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDQ6MjMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NDoyMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:44:23 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:44:23 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:44:20.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:44:20.000Z", "id": "observed-data--47eb199e-ae27-42f0-b18d-3371213ff1aa", "last_observed": "2019-08-23T13:44:20.000Z", "modified": "2019-08-23T13:44:20.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDQ6MjAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NDoyMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:44:20 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:44:20 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:44:17.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:44:17.000Z", "id": "observed-data--da5a90f6-4075-42b4-840a-6a47d5bec052", "last_observed": "2019-08-23T13:44:17.000Z", "modified": "2019-08-23T13:44:17.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDQ6MTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NDoxNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:44:17 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:44:17 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:44:14.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:44:14.000Z", "id": "observed-data--4fd9f29d-af94-415a-a0a7-bdf4c11766a7", "last_observed": "2019-08-23T13:44:14.000Z", "modified": "2019-08-23T13:44:14.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDQ6MTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NDoxNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:44:14 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:44:14 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:44:11.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:44:11.000Z", "id": "observed-data--41c78f75-547c-4ceb-8aa2-be68f757d77c", "last_observed": "2019-08-23T13:44:11.000Z", "modified": "2019-08-23T13:44:11.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDQ6MTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NDoxMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:44:11 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:44:11 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:44:08.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:44:08.000Z", "id": "observed-data--778ac484-e5a0-4b71-9c66-d031f00eefa7", "last_observed": "2019-08-23T13:44:08.000Z", "modified": "2019-08-23T13:44:08.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDQ6MDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NDowOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:44:08 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:44:08 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:44:04.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:44:04.000Z", "id": "observed-data--c14ad210-6555-49e0-acbb-1374866690f0", "last_observed": "2019-08-23T13:44:04.000Z", "modified": "2019-08-23T13:44:04.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDQ6MDQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NDowNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:44:04 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:44:04 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:44:01.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:44:01.000Z", "id": "observed-data--1345ac4f-7a6c-4651-b07e-b4a1336dbbaf", "last_observed": "2019-08-23T13:44:01.000Z", "modified": "2019-08-23T13:44:01.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDQ6MDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0NDowMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:44:01 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:44:01 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:43:58.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:43:58.000Z", "id": "observed-data--4148a60b-8c4b-4eaa-8b28-34e2677abe23", "last_observed": "2019-08-23T13:43:58.000Z", "modified": "2019-08-23T13:43:58.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDM6NTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0Mzo1OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:43:58 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:43:58 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:43:55.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:43:55.000Z", "id": "observed-data--4049803b-737f-4764-b6c0-bc0b424741da", "last_observed": "2019-08-23T13:43:55.000Z", "modified": "2019-08-23T13:43:55.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDM6NTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0Mzo1NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:43:55 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:43:55 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:43:52.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:43:52.000Z", "id": "observed-data--230cdca0-db47-444f-8be4-757033cc23f1", "last_observed": "2019-08-23T13:43:52.000Z", "modified": "2019-08-23T13:43:52.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDM6NTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0Mzo1MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:43:52 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:43:52 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:43:49.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:43:49.000Z", "id": "observed-data--6af1a777-dcbb-4855-b1a6-81015647b537", "last_observed": "2019-08-23T13:43:49.000Z", "modified": "2019-08-23T13:43:49.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDM6NDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0Mzo0OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:43:49 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:43:49 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:43:46.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:43:46.000Z", "id": "observed-data--962c91c3-0169-49a0-a085-f7af7160f4d8", "last_observed": "2019-08-23T13:43:46.000Z", "modified": "2019-08-23T13:43:46.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDM6NDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0Mzo0NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:43:46 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:43:46 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:43:42.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:43:42.000Z", "id": "observed-data--e970f397-cbe8-4b6f-8ac3-1ee8ab4351c6", "last_observed": "2019-08-23T13:43:42.000Z", "modified": "2019-08-23T13:43:42.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDM6NDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0Mzo0MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:43:42 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:43:42 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:43:39.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:43:39.000Z", "id": "observed-data--f3109cb9-68ae-41f5-9ded-f78dc5bd4913", "last_observed": "2019-08-23T13:43:39.000Z", "modified": "2019-08-23T13:43:39.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDM6MzkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MzozOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:43:39 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:43:39 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:43:36.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:43:36.000Z", "id": "observed-data--7f08575d-02f6-4017-b1b1-b1a3365c215c", "last_observed": "2019-08-23T13:43:36.000Z", "modified": "2019-08-23T13:43:36.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDM6MzYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MzozNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:43:36 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:43:36 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:43:33.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:43:33.000Z", "id": "observed-data--aaadb99e-fde0-4441-afce-f8fc7a6f4153", "last_observed": "2019-08-23T13:43:33.000Z", "modified": "2019-08-23T13:43:33.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDM6MzMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MzozMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:43:33 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:43:33 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:43:30.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:43:30.000Z", "id": "observed-data--2d9657ff-dc29-4955-8664-7eef4bbc7acf", "last_observed": "2019-08-23T13:43:30.000Z", "modified": "2019-08-23T13:43:30.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDM6MzAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MzozMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:43:30 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:43:30 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:43:27.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:43:27.000Z", "id": "observed-data--5d050555-3895-4aa8-986c-4f57771dacf5", "last_observed": "2019-08-23T13:43:27.000Z", "modified": "2019-08-23T13:43:27.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDM6MjcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MzoyNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:43:27 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:43:27 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:43:24.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:43:24.000Z", "id": "observed-data--7a1ce487-eedf-412b-b642-c1195379603f", "last_observed": "2019-08-23T13:43:24.000Z", "modified": "2019-08-23T13:43:24.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDM6MjQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MzoyNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:43:24 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:43:24 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:43:20.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:43:20.000Z", "id": "observed-data--f86237c4-91be-446b-956b-cd1dcc2e6a99", "last_observed": "2019-08-23T13:43:20.000Z", "modified": "2019-08-23T13:43:20.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDM6MjAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MzoyMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:43:20 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:43:20 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:43:17.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:43:17.000Z", "id": "observed-data--aa174398-4434-4eec-a68f-35eae6488865", "last_observed": "2019-08-23T13:43:17.000Z", "modified": "2019-08-23T13:43:17.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDM6MTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MzoxNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:43:17 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:43:17 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:43:14.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:43:14.000Z", "id": "observed-data--911f6b40-e450-4b0c-8224-40e50f0f4fd9", "last_observed": "2019-08-23T13:43:14.000Z", "modified": "2019-08-23T13:43:14.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDM6MTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MzoxNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:43:14 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:43:14 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:43:11.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:43:11.000Z", "id": "observed-data--9dc2bcf6-e694-46dc-a705-352250940869", "last_observed": "2019-08-23T13:43:11.000Z", "modified": "2019-08-23T13:43:11.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDM6MTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MzoxMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:43:11 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:43:11 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:43:08.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:43:08.000Z", "id": "observed-data--96474586-e53a-4b35-9aae-65357de4b597", "last_observed": "2019-08-23T13:43:08.000Z", "modified": "2019-08-23T13:43:08.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDM6MDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MzowOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:43:08 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:43:08 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:43:05.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:43:05.000Z", "id": "observed-data--b65c9ba6-1a61-4b10-be1b-4206cdc2d1b6", "last_observed": "2019-08-23T13:43:05.000Z", "modified": "2019-08-23T13:43:05.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDM6MDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MzowNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:43:05 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:43:05 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:43:01.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:43:01.000Z", "id": "observed-data--c29b193f-b4dd-4dd9-aa8b-2230cb2ba79e", "last_observed": "2019-08-23T13:43:01.000Z", "modified": "2019-08-23T13:43:01.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDM6MDEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MzowMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:43:01 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:43:01 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:42:58.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:42:58.000Z", "id": "observed-data--b6f4ff0b-b2bd-4466-94a0-ac5d32204cef", "last_observed": "2019-08-23T13:42:58.000Z", "modified": "2019-08-23T13:42:58.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDI6NTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0Mjo1OCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:42:58 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:42:58 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:42:55.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:42:55.000Z", "id": "observed-data--4d62264f-ff2b-42fa-b3e6-aabe18e0cb69", "last_observed": "2019-08-23T13:42:55.000Z", "modified": "2019-08-23T13:42:55.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDI6NTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0Mjo1NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:42:55 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:42:55 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:42:52.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:42:52.000Z", "id": "observed-data--89b3c6f5-e53e-47da-b3fd-9ff125ec741a", "last_observed": "2019-08-23T13:42:52.000Z", "modified": "2019-08-23T13:42:52.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDI6NTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0Mjo1MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:42:52 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:42:52 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:42:49.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:42:49.000Z", "id": "observed-data--46d3daf0-a890-49b0-8956-8c666b15499f", "last_observed": "2019-08-23T13:42:49.000Z", "modified": "2019-08-23T13:42:49.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDI6NDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0Mjo0OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:42:49 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:42:49 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:42:46.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:42:46.000Z", "id": "observed-data--d4675fb8-62fb-4f22-9dbe-f201368c8da5", "last_observed": "2019-08-23T13:42:46.000Z", "modified": "2019-08-23T13:42:46.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDI6NDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0Mjo0NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:42:46 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:42:46 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:42:43.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:42:43.000Z", "id": "observed-data--b5c49ff1-14cc-40f1-adc3-071aab942491", "last_observed": "2019-08-23T13:42:43.000Z", "modified": "2019-08-23T13:42:43.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDI6NDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0Mjo0MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:42:43 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:42:43 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:42:39.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:42:39.000Z", "id": "observed-data--e75ca115-1592-433f-90fa-573ba839d332", "last_observed": "2019-08-23T13:42:39.000Z", "modified": "2019-08-23T13:42:39.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDI6MzkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MjozOSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:42:39 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:42:39 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:42:36.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:42:36.000Z", "id": "observed-data--6011bdf9-3fcf-4a56-a4e7-6a0fd96d2a8f", "last_observed": "2019-08-23T13:42:36.000Z", "modified": "2019-08-23T13:42:36.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDI6MzYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MjozNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:42:36 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:42:36 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:42:33.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:42:33.000Z", "id": "observed-data--fcd5affe-945c-44cc-bb54-5f7beaf1cac0", "last_observed": "2019-08-23T13:42:33.000Z", "modified": "2019-08-23T13:42:33.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDI6MzMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MjozMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:42:33 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:42:33 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:42:30.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:42:30.000Z", "id": "observed-data--be1db0bc-a06e-4ba2-8d4a-33b6bd50cb07", "last_observed": "2019-08-23T13:42:30.000Z", "modified": "2019-08-23T13:42:30.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDI6MzAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MjozMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:42:30 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:42:30 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:42:27.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:42:27.000Z", "id": "observed-data--3eb58db2-8306-43e5-9f66-c2bfaf0357e8", "last_observed": "2019-08-23T13:42:27.000Z", "modified": "2019-08-23T13:42:27.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDI6MjcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MjoyNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:42:27 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:42:27 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:42:24.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:42:24.000Z", "id": "observed-data--14155127-5506-4bc8-a1e1-c420a107bdb8", "last_observed": "2019-08-23T13:42:24.000Z", "modified": "2019-08-23T13:42:24.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDI6MjQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MjoyNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:42:24 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:42:24 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:42:21.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:42:21.000Z", "id": "observed-data--0d172bd1-2097-4342-8894-f2449c80289f", "last_observed": "2019-08-23T13:42:21.000Z", "modified": "2019-08-23T13:42:21.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDI6MjEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MjoyMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:42:21 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:42:21 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:42:17.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:42:17.000Z", "id": "observed-data--9870361a-244e-4b04-84be-48ea5a7fffb3", "last_observed": "2019-08-23T13:42:17.000Z", "modified": "2019-08-23T13:42:17.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDI6MTcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MjoxNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:42:17 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:42:17 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:42:14.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:42:14.000Z", "id": "observed-data--75bf5c1f-a6ab-49e8-92de-c43596d2bcaf", "last_observed": "2019-08-23T13:42:14.000Z", "modified": "2019-08-23T13:42:14.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDI6MTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MjoxNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:42:14 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:42:14 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:42:11.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:42:11.000Z", "id": "observed-data--b76bd297-58ea-4040-a620-46abf7a4c76d", "last_observed": "2019-08-23T13:42:11.000Z", "modified": "2019-08-23T13:42:11.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDI6MTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MjoxMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:42:11 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:42:11 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:42:08.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:42:08.000Z", "id": "observed-data--f781d8bb-1313-4a4a-a5ee-d4ccf81aacd7", "last_observed": "2019-08-23T13:42:08.000Z", "modified": "2019-08-23T13:42:08.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDI6MDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MjowOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:42:08 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:42:08 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:42:05.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:42:05.000Z", "id": "observed-data--b69c3ab2-7188-4a7b-a76e-8c5899091fff", "last_observed": "2019-08-23T13:42:05.000Z", "modified": "2019-08-23T13:42:05.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDI6MDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MjowNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:42:05 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:42:05 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:42:02.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:42:02.000Z", "id": "observed-data--8ae71b27-d73e-4989-92f9-1ad531df726b", "last_observed": "2019-08-23T13:42:02.000Z", "modified": "2019-08-23T13:42:02.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDI6MDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MjowMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:42:02 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:42:02 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:41:59.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:41:59.000Z", "id": "observed-data--ef0b1f8c-f52f-451a-a8c5-e804ce2e5458", "last_observed": "2019-08-23T13:41:59.000Z", "modified": "2019-08-23T13:41:59.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDE6NTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MTo1OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:41:59 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:41:59 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:41:55.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:41:55.000Z", "id": "observed-data--a4c5a7e1-af4c-4475-a6b6-2b7b2015aef5", "last_observed": "2019-08-23T13:41:55.000Z", "modified": "2019-08-23T13:41:55.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDE6NTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MTo1NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:41:55 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:41:55 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:41:52.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:41:52.000Z", "id": "observed-data--08253d12-2ca6-4dae-95f8-854d98c7ac1a", "last_observed": "2019-08-23T13:41:52.000Z", "modified": "2019-08-23T13:41:52.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDE6NTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MTo1MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:41:52 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:41:52 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:41:49.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:41:49.000Z", "id": "observed-data--8756bfba-441f-44c8-b085-2e1a50b1ffcf", "last_observed": "2019-08-23T13:41:49.000Z", "modified": "2019-08-23T13:41:49.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDE6NDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MTo0OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:41:49 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:41:49 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:41:46.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:41:46.000Z", "id": "observed-data--a8061953-660c-4f01-a8b3-ca76022791e1", "last_observed": "2019-08-23T13:41:46.000Z", "modified": "2019-08-23T13:41:46.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDE6NDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MTo0NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:41:46 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:41:46 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:41:43.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:41:43.000Z", "id": "observed-data--4ca53ab0-16f4-4cba-8e66-93bb932b38ac", "last_observed": "2019-08-23T13:41:43.000Z", "modified": "2019-08-23T13:41:43.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDE6NDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MTo0MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:41:43 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:41:43 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:41:40.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:41:40.000Z", "id": "observed-data--038e1afe-b5f5-49a1-9176-c63517ce345e", "last_observed": "2019-08-23T13:41:40.000Z", "modified": "2019-08-23T13:41:40.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDE6NDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MTo0MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:41:40 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:41:40 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:41:36.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:41:36.000Z", "id": "observed-data--9e8f4d33-9697-490a-9077-434f743a6b2c", "last_observed": "2019-08-23T13:41:36.000Z", "modified": "2019-08-23T13:41:36.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDE6MzYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MTozNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:41:36 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:41:36 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:41:33.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:41:33.000Z", "id": "observed-data--d54fe207-d941-4bdc-951d-e587687954a5", "last_observed": "2019-08-23T13:41:33.000Z", "modified": "2019-08-23T13:41:33.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDE6MzMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MTozMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:41:33 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:41:33 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:41:30.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:41:30.000Z", "id": "observed-data--4634a2e0-338c-4034-bf0a-fa69c961793c", "last_observed": "2019-08-23T13:41:30.000Z", "modified": "2019-08-23T13:41:30.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDE6MzAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MTozMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:41:30 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:41:30 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:41:27.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:41:27.000Z", "id": "observed-data--e877d0b9-b497-4c5b-8f35-e6e044247bfb", "last_observed": "2019-08-23T13:41:27.000Z", "modified": "2019-08-23T13:41:27.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDE6MjcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MToyNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:41:27 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:41:27 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:41:24.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:41:24.000Z", "id": "observed-data--acf6cb6c-baa2-44bb-a87e-c5284204deb7", "last_observed": "2019-08-23T13:41:24.000Z", "modified": "2019-08-23T13:41:24.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDE6MjQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MToyNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:41:24 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:41:24 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:41:21.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:41:21.000Z", "id": "observed-data--41ec3ca5-4367-49e3-93b1-899f285173b9", "last_observed": "2019-08-23T13:41:21.000Z", "modified": "2019-08-23T13:41:21.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDE6MjEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MToyMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:41:21 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:41:21 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:41:18.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:41:18.000Z", "id": "observed-data--8834f2a5-e5d2-483b-be68-3fe45c651d20", "last_observed": "2019-08-23T13:41:18.000Z", "modified": "2019-08-23T13:41:18.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDE6MTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MToxOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:41:18 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:41:18 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:41:14.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:41:14.000Z", "id": "observed-data--a73508ba-0116-4e98-a58c-291c3c829b3c", "last_observed": "2019-08-23T13:41:14.000Z", "modified": "2019-08-23T13:41:14.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDE6MTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MToxNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:41:14 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:41:14 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:41:11.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:41:11.000Z", "id": "observed-data--68605ae2-2704-4c9f-93da-3d8738276874", "last_observed": "2019-08-23T13:41:11.000Z", "modified": "2019-08-23T13:41:11.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDE6MTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MToxMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:41:11 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:41:11 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:41:08.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:41:08.000Z", "id": "observed-data--7cd56e01-a58d-499b-995c-b0eddad6926f", "last_observed": "2019-08-23T13:41:08.000Z", "modified": "2019-08-23T13:41:08.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDE6MDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MTowOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:41:08 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:41:08 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:41:05.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:41:05.000Z", "id": "observed-data--10ea0b91-6424-4f33-9cb8-562f180d5c12", "last_observed": "2019-08-23T13:41:05.000Z", "modified": "2019-08-23T13:41:05.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDE6MDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MTowNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:41:05 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:41:05 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:41:02.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:41:02.000Z", "id": "observed-data--50ab4551-6156-4130-b1e1-9c060cc87200", "last_observed": "2019-08-23T13:41:02.000Z", "modified": "2019-08-23T13:41:02.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDE6MDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MTowMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:41:02 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:41:02 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:40:59.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:40:59.000Z", "id": "observed-data--806a1343-487a-451d-9d37-ed00e6ee00c9", "last_observed": "2019-08-23T13:40:59.000Z", "modified": "2019-08-23T13:40:59.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDA6NTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MDo1OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:40:59 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:40:59 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:40:55.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:40:55.000Z", "id": "observed-data--7910e732-edf3-40d7-a19b-b9333f4787d4", "last_observed": "2019-08-23T13:40:55.000Z", "modified": "2019-08-23T13:40:55.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDA6NTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MDo1NSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:40:55 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:40:55 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:40:52.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:40:52.000Z", "id": "observed-data--058e5391-37fc-4ac1-8e68-a119896696ae", "last_observed": "2019-08-23T13:40:52.000Z", "modified": "2019-08-23T13:40:52.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDA6NTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MDo1MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:40:52 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:40:52 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:40:49.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:40:49.000Z", "id": "observed-data--8d32d709-d26d-4ad8-acfb-347e1f377cb1", "last_observed": "2019-08-23T13:40:49.000Z", "modified": "2019-08-23T13:40:49.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDA6NDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MDo0OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:40:49 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:40:49 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:40:46.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:40:46.000Z", "id": "observed-data--72a61f0f-8682-42b7-b16f-c8edf5b4599d", "last_observed": "2019-08-23T13:40:46.000Z", "modified": "2019-08-23T13:40:46.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDA6NDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MDo0NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:40:46 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:40:46 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:40:43.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:40:43.000Z", "id": "observed-data--b22c6cf4-fed3-4e24-96b1-e46cd4b21209", "last_observed": "2019-08-23T13:40:43.000Z", "modified": "2019-08-23T13:40:43.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDA6NDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MDo0MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:40:43 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:40:43 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:40:40.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:40:40.000Z", "id": "observed-data--fc3b0f9e-6bd5-4413-89f4-30ed035c12f3", "last_observed": "2019-08-23T13:40:40.000Z", "modified": "2019-08-23T13:40:40.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDA6NDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MDo0MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:40:40 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:40:40 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:40:36.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:40:36.000Z", "id": "observed-data--9901aa8e-816b-41dc-a323-0db2931a9afe", "last_observed": "2019-08-23T13:40:36.000Z", "modified": "2019-08-23T13:40:36.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDA6MzYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MDozNiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:40:36 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:40:36 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:40:33.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:40:33.000Z", "id": "observed-data--8f844f6b-a6b4-4b63-9df4-96e6914e9b15", "last_observed": "2019-08-23T13:40:33.000Z", "modified": "2019-08-23T13:40:33.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDA6MzMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MDozMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:40:33 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:40:33 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:40:30.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:40:30.000Z", "id": "observed-data--cf5913c3-c72c-4959-8f5f-f3c90c630144", "last_observed": "2019-08-23T13:40:30.000Z", "modified": "2019-08-23T13:40:30.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDA6MzAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MDozMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:40:30 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:40:30 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:40:27.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:40:27.000Z", "id": "observed-data--571b1fe7-f56f-4661-b9d4-71fe635198ee", "last_observed": "2019-08-23T13:40:27.000Z", "modified": "2019-08-23T13:40:27.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDA6MjcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MDoyNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:40:27 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:40:27 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:40:24.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:40:24.000Z", "id": "observed-data--eb1d9916-d44b-4dc8-b08c-3db371d44c7b", "last_observed": "2019-08-23T13:40:24.000Z", "modified": "2019-08-23T13:40:24.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDA6MjQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MDoyNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:40:24 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:40:24 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:40:21.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:40:21.000Z", "id": "observed-data--76500169-8789-4d1a-b1ad-bb78a7513974", "last_observed": "2019-08-23T13:40:21.000Z", "modified": "2019-08-23T13:40:21.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDA6MjEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MDoyMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:40:21 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:40:21 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:40:18.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:40:18.000Z", "id": "observed-data--8fe9f766-3169-45e0-9d99-36ec33cd4dc0", "last_observed": "2019-08-23T13:40:18.000Z", "modified": "2019-08-23T13:40:18.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDA6MTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MDoxOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:40:18 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:40:18 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:40:14.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:40:14.000Z", "id": "observed-data--d084df4a-7e3a-49f9-aa31-0be25a3f8dc5", "last_observed": "2019-08-23T13:40:14.000Z", "modified": "2019-08-23T13:40:14.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDA6MTQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MDoxNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:40:14 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:40:14 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:40:11.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:40:11.000Z", "id": "observed-data--5db4e97c-1a64-4ad6-9c84-708ad93b938c", "last_observed": "2019-08-23T13:40:11.000Z", "modified": "2019-08-23T13:40:11.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDA6MTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MDoxMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:40:11 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:40:11 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:40:08.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:40:08.000Z", "id": "observed-data--18a5a135-95ec-4c63-8aeb-f1829d8134dd", "last_observed": "2019-08-23T13:40:08.000Z", "modified": "2019-08-23T13:40:08.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDA6MDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MDowOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:40:08 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:40:08 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:40:05.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:40:05.000Z", "id": "observed-data--2ad846e2-3bf2-4801-8ccb-c801c990d9d7", "last_observed": "2019-08-23T13:40:05.000Z", "modified": "2019-08-23T13:40:05.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDA6MDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MDowNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:40:05 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:40:05 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:40:02.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:40:02.000Z", "id": "observed-data--26f3f231-d66a-4f31-925e-e7ea7ee78b71", "last_observed": "2019-08-23T13:40:02.000Z", "modified": "2019-08-23T13:40:02.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6NDA6MDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzo0MDowMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:40:02 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:40:02 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:39:59.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:39:59.000Z", "id": "observed-data--ead2b28a-41fc-4e97-879f-d192ec613033", "last_observed": "2019-08-23T13:39:59.000Z", "modified": "2019-08-23T13:39:59.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6Mzk6NTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzozOTo1OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:39:59 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:39:59 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:39:56.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:39:56.000Z", "id": "observed-data--ee6e71d4-9ecf-4e72-923b-eb1d43677539", "last_observed": "2019-08-23T13:39:56.000Z", "modified": "2019-08-23T13:39:56.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6Mzk6NTYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzozOTo1NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:39:56 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:39:56 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:39:52.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:39:52.000Z", "id": "observed-data--236dfe6b-368f-4db5-9db4-d22a5281048c", "last_observed": "2019-08-23T13:39:52.000Z", "modified": "2019-08-23T13:39:52.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6Mzk6NTIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzozOTo1MiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:39:52 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:39:52 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:39:49.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:39:49.000Z", "id": "observed-data--c9e945ea-318b-4868-8543-ff94592cbd15", "last_observed": "2019-08-23T13:39:49.000Z", "modified": "2019-08-23T13:39:49.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6Mzk6NDkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzozOTo0OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:39:49 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:39:49 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:39:46.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:39:46.000Z", "id": "observed-data--81bf7828-c7f1-4aa6-86f5-4ff0879f7d77", "last_observed": "2019-08-23T13:39:46.000Z", "modified": "2019-08-23T13:39:46.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6Mzk6NDYgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzozOTo0NiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:39:46 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:39:46 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:39:43.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:39:43.000Z", "id": "observed-data--5317b8ec-2dc0-467a-bf00-8e6479b49d7c", "last_observed": "2019-08-23T13:39:43.000Z", "modified": "2019-08-23T13:39:43.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6Mzk6NDMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzozOTo0MyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:39:43 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:39:43 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:39:40.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:39:40.000Z", "id": "observed-data--c47c674b-54b5-4344-859c-ccadfd7b4717", "last_observed": "2019-08-23T13:39:40.000Z", "modified": "2019-08-23T13:39:40.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6Mzk6NDAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzozOTo0MCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:39:40 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:39:40 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:39:37.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:39:37.000Z", "id": "observed-data--226e0b6e-b6c3-448b-a0a7-dd09a37eae51", "last_observed": "2019-08-23T13:39:37.000Z", "modified": "2019-08-23T13:39:37.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6Mzk6MzcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzozOTozNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:39:37 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:39:37 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:39:33.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:39:33.000Z", "id": "observed-data--c6ec5d27-3820-4d71-896b-2cc7910da848", "last_observed": "2019-08-23T13:39:33.000Z", "modified": "2019-08-23T13:39:33.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6Mzk6MzMgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzozOTozMyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:39:33 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:39:33 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:39:30.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:39:30.000Z", "id": "observed-data--5ece587d-7ab5-4f86-bf1b-53db1f4615cb", "last_observed": "2019-08-23T13:39:30.000Z", "modified": "2019-08-23T13:39:30.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6Mzk6MzAgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzozOTozMCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:39:30 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:39:30 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:39:27.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:39:27.000Z", "id": "observed-data--e46ac4c2-1cb6-47c1-99d5-14e6b499ebd0", "last_observed": "2019-08-23T13:39:27.000Z", "modified": "2019-08-23T13:39:27.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6Mzk6MjcgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzozOToyNyBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:39:27 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:39:27 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:39:24.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:39:24.000Z", "id": "observed-data--9a6367b0-ac74-4236-85dc-9b8635b35667", "last_observed": "2019-08-23T13:39:24.000Z", "modified": "2019-08-23T13:39:24.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6Mzk6MjQgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzozOToyNCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:39:24 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:39:24 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:39:21.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:39:21.000Z", "id": "observed-data--5dcafc70-ef88-4e65-b8b4-eae22456597c", "last_observed": "2019-08-23T13:39:21.000Z", "modified": "2019-08-23T13:39:21.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6Mzk6MjEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzozOToyMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:39:21 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:39:21 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:39:18.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:39:18.000Z", "id": "observed-data--a496ee16-0b8b-49ca-b910-2f52620a571e", "last_observed": "2019-08-23T13:39:18.000Z", "modified": "2019-08-23T13:39:18.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6Mzk6MTggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzozOToxOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:39:18 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:39:18 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:39:15.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:39:15.000Z", "id": "observed-data--ec7cedf1-6c69-48a0-b40a-8029efac3d38", "last_observed": "2019-08-23T13:39:15.000Z", "modified": "2019-08-23T13:39:15.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6Mzk6MTUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzozOToxNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:39:15 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:39:15 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:39:11.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:39:11.000Z", "id": "observed-data--490714d9-a247-4b9c-b2ca-44dee6b5cae5", "last_observed": "2019-08-23T13:39:11.000Z", "modified": "2019-08-23T13:39:11.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6Mzk6MTEgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzozOToxMSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:39:11 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:39:11 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:39:08.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:39:08.000Z", "id": "observed-data--c0bdea5c-8d32-4d9c-a7b1-5bd7817330fd", "last_observed": "2019-08-23T13:39:08.000Z", "modified": "2019-08-23T13:39:08.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6Mzk6MDggMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzozOTowOCBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:39:08 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:39:08 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:39:05.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:39:05.000Z", "id": "observed-data--342fde2c-5eb9-4511-80ae-72e4a4f63e22", "last_observed": "2019-08-23T13:39:05.000Z", "modified": "2019-08-23T13:39:05.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6Mzk6MDUgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzozOTowNSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:39:05 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:39:05 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } }, { "created": "2019-08-23T13:39:02.000Z", "created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6", "first_observed": "2019-08-23T13:39:02.000Z", "id": "observed-data--7709dbed-40e8-4d4c-beb3-c7023f771204", "last_observed": "2019-08-23T13:39:02.000Z", "modified": "2019-08-23T13:39:02.000Z", "number_observed": 1, "objects": { "0": { "resolves_to_refs": ["2"], "type": "ipv4-addr", "value": "192.168.0.1" }, "1": { "dst_port": 1120, "dst_ref": "3", "protocols": [ "tcp" ], "src_port": 1220, "src_ref": "0", "type": "network-traffic" }, "2": { "type": "mac-addr", "value": "aa:bb:cc:dd:11:22" }, "3": { "resolves_to_refs": ["4"], "type": "ipv4-addr", "value": "127.0.0.1" }, "4": { "type": "mac-addr", "value": "ee:dd:bb:aa:cc:11" }, "5": { "hashes": { "SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0" }, "type": "file" }, "6": { "account_login": "test", "type": "user-account", "user_id": "test" }, "7": { "type": "url", "value": "https://test.fireeye.com/malware_analysis/analyses?maid=1" }, "8": { "type": "domain-name", "value": "test.fireeye.com" }, "9": { "payload_bin": "QXVnIDIzIDIwMTkgMTM6Mzk6MDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzozOTowMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK", "type": "artifact" } }, "type": "observed-data", "x_com_splunk_spl": { "user": "sname", "utf8_payload": "Aug 23 2019 13:39:02 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2019 13:39:02 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n" } } ], "type": "bundle" }