/malware-indicators

Permalink
Switch branches/tags
Nothing to show
Find file
malware-indicators/201707_InsiderInfo/stix.xml
6891050 Jul 5, 2017
Raw Blame History
1185 lines (1184 sloc) 118 KB
<stix:STIX_Package
xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
xmlns:ASObj="http://cybox.mitre.org/objects#ASObject-1"
xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2"
xmlns:DomainNameObj="http://cybox.mitre.org/objects#DomainNameObject-1"
xmlns:EmailMessageObj="http://cybox.mitre.org/objects#EmailMessageObject-2"
xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"
xmlns:HTTPSessionObj="http://cybox.mitre.org/objects#HTTPSessionObject-2"
xmlns:HostnameObj="http://cybox.mitre.org/objects#HostnameObject-1"
xmlns:MutexObj="http://cybox.mitre.org/objects#MutexObject-2"
xmlns:PipeObj="http://cybox.mitre.org/objects#PipeObject-2"
xmlns:URIObj="http://cybox.mitre.org/objects#URIObject-2"
xmlns:WinRegistryKeyObj="http://cybox.mitre.org/objects#WinRegistryKeyObject-2"
xmlns:marking="http://data-marking.mitre.org/Marking-1"
xmlns:tlpMarking="http://data-marking.mitre.org/extensions/MarkingStructure#TLP-1"
xmlns:et="http://stix.mitre.org/ExploitTarget-1"
xmlns:incident="http://stix.mitre.org/Incident-1"
xmlns:indicator="http://stix.mitre.org/Indicator-2"
xmlns:ttp="http://stix.mitre.org/TTP-1"
xmlns:ta="http://stix.mitre.org/ThreatActor-1"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:stix-ciqidentity="http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1"
xmlns:snortTM="http://stix.mitre.org/extensions/TestMechanism#Snort-1"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xal="urn:oasis:names:tc:ciq:xal:3"
xmlns:xnl="urn:oasis:names:tc:ciq:xnl:3"
xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3"
xsi:schemaLocation="
http://cybox.mitre.org/common-2 http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd
http://cybox.mitre.org/cybox-2 http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd
http://cybox.mitre.org/default_vocabularies-2 http://cybox.mitre.org/XMLSchema/default_vocabularies/2.1/cybox_default_vocabularies.xsd
http://cybox.mitre.org/objects#ASObject-1 http://cybox.mitre.org/XMLSchema/objects/AS/1.0/AS_Object.xsd
http://cybox.mitre.org/objects#AddressObject-2 http://cybox.mitre.org/XMLSchema/objects/Address/2.1/Address_Object.xsd
http://cybox.mitre.org/objects#DomainNameObject-1 http://cybox.mitre.org/XMLSchema/objects/Domain_Name/1.0/Domain_Name_Object.xsd
http://cybox.mitre.org/objects#EmailMessageObject-2 http://cybox.mitre.org/XMLSchema/objects/Email_Message/2.1/Email_Message_Object.xsd
http://cybox.mitre.org/objects#FileObject-2 http://cybox.mitre.org/XMLSchema/objects/File/2.1/File_Object.xsd
http://cybox.mitre.org/objects#HTTPSessionObject-2 http://cybox.mitre.org/XMLSchema/objects/HTTP_Session/2.1/HTTP_Session_Object.xsd
http://cybox.mitre.org/objects#HostnameObject-1 http://cybox.mitre.org/XMLSchema/objects/Hostname/1.0/Hostname_Object.xsd
http://cybox.mitre.org/objects#MutexObject-2 http://cybox.mitre.org/XMLSchema/objects/Mutex/2.1/Mutex_Object.xsd
http://cybox.mitre.org/objects#PipeObject-2 http://cybox.mitre.org/XMLSchema/objects/Pipe/2.1/Pipe_Object.xsd
http://cybox.mitre.org/objects#URIObject-2 http://cybox.mitre.org/XMLSchema/objects/URI/2.1/URI_Object.xsd
http://cybox.mitre.org/objects#WinRegistryKeyObject-2 http://cybox.mitre.org/XMLSchema/objects/Win_Registry_Key/2.1/Win_Registry_Key_Object.xsd
http://data-marking.mitre.org/Marking-1 http://stix.mitre.org/XMLSchema/data_marking/1.1.1/data_marking.xsd
http://data-marking.mitre.org/extensions/MarkingStructure#TLP-1 http://stix.mitre.org/XMLSchema/extensions/marking/tlp/1.1.1/tlp_marking.xsd
http://stix.mitre.org/ExploitTarget-1 http://stix.mitre.org/XMLSchema/exploit_target/1.1.1/exploit_target.xsd
http://stix.mitre.org/Incident-1 http://stix.mitre.org/XMLSchema/incident/1.1.1/incident.xsd
http://stix.mitre.org/Indicator-2 http://stix.mitre.org/XMLSchema/indicator/2.1.1/indicator.xsd
http://stix.mitre.org/TTP-1 http://stix.mitre.org/XMLSchema/ttp/1.1.1/ttp.xsd
http://stix.mitre.org/ThreatActor-1 http://stix.mitre.org/XMLSchema/threat_actor/1.1.1/threat_actor.xsd
http://stix.mitre.org/common-1 http://stix.mitre.org/XMLSchema/common/1.1.1/stix_common.xsd
http://stix.mitre.org/default_vocabularies-1 http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd
http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 http://stix.mitre.org/XMLSchema/extensions/identity/ciq_3.0/1.1.1/ciq_3.0_identity.xsd
http://stix.mitre.org/extensions/TestMechanism#Snort-1 http://stix.mitre.org/XMLSchema/extensions/test_mechanism/snort/1.1.1/snort_test_mechanism.xsd
http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.1.1/stix_core.xsd
urn:oasis:names:tc:ciq:xal:3 http://stix.mitre.org/XMLSchema/external/oasis_ciq_3.0/xAL.xsd
urn:oasis:names:tc:ciq:xnl:3 http://stix.mitre.org/XMLSchema/external/oasis_ciq_3.0/xNL.xsd
urn:oasis:names:tc:ciq:xpil:3 http://stix.mitre.org/XMLSchema/external/oasis_ciq_3.0/xPIL.xsd" id=":Package-b50c3fdf-7ad2-4c13-8973-7e1d1a14dc92" version="1.1.1" timestamp="2017-07-04T15:38:19.891359+00:00">
<stix:STIX_Header>
<stix:Title>Export from MISP</stix:Title>
<stix:Package_Intent xsi:type="stixVocabs:PackageIntentVocab-1.0">Threat Report</stix:Package_Intent>
</stix:STIX_Header>
<stix:Related_Packages>
<stix:Related_Package>
<stix:Package id=":STIXPackage-595baf14-d8e8-4e33-be25-06e38e96ca05" version="1.1.1" timestamp="2017-07-04T11:24:18+00:00">
<stix:STIX_Header>
<stix:Title>Insider Information: An intrusion campaign targeting Chinese language news sites (MISP Event #108)</stix:Title>
<stix:Package_Intent xsi:type="stixVocabs:PackageIntentVocab-1.0">Threat Report</stix:Package_Intent>
</stix:STIX_Header>
<stix:Incidents>
<stix:Incident id=":incident-595baf14-d8e8-4e33-be25-06e38e96ca05" timestamp="2017-07-04T11:25:53+00:00" xsi:type='incident:IncidentType'>
<incident:Title>Insider Information: An intrusion campaign targeting Chinese language news sites</incident:Title>
<incident:External_ID source="MISP Event">108</incident:External_ID>
<incident:Time>
<incident:Incident_Discovery precision="second">2017-07-04T00:00:00+00:00</incident:Incident_Discovery>
<incident:Incident_Reported precision="second">2017-07-04T11:25:53+00:00</incident:Incident_Reported>
</incident:Time>
<incident:Status xsi:type="stixVocabs:IncidentStatusVocab-1.0">New</incident:Status>
<incident:Related_Indicators>
<incident:Related_Indicator>
<stixCommon:Relationship>Artifacts dropped</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb322-2550-44cc-8747-06e38e96ca05" timestamp="2017-07-04T11:24:18+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Artifacts dropped: 19c5f8829444956ba30e023aaaec6408 (MISP Attribute #16407)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">File Hash Watchlist</indicator:Type>
<indicator:Description>Artifacts dropped: 19c5f8829444956ba30e023aaaec6408 (MISP Attribute #16407)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb322-2550-44cc-8747-06e38e96ca05">
<cybox:Object id=":File-595bb322-2550-44cc-8747-06e38e96ca05">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">19c5f8829444956ba30e023aaaec6408</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:24:18+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">None</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Artifacts dropped</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb322-12c0-4c0c-8d64-06e38e96ca05" timestamp="2017-07-04T11:24:18+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Artifacts dropped: ac5763000ae435875f3b709a5f23ecc0 (MISP Attribute #16408)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">File Hash Watchlist</indicator:Type>
<indicator:Description>Artifacts dropped: ac5763000ae435875f3b709a5f23ecc0 (MISP Attribute #16408)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb322-12c0-4c0c-8d64-06e38e96ca05">
<cybox:Object id=":File-595bb322-12c0-4c0c-8d64-06e38e96ca05">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">ac5763000ae435875f3b709a5f23ecc0</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:24:18+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">None</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Artifacts dropped</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb322-0d44-4380-9208-06e38e96ca05" timestamp="2017-07-04T11:24:18+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Artifacts dropped: d80fc6a4f175e3ab417b9f96c3b37c73 (MISP Attribute #16409)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">File Hash Watchlist</indicator:Type>
<indicator:Description>Artifacts dropped: d80fc6a4f175e3ab417b9f96c3b37c73 (MISP Attribute #16409)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb322-0d44-4380-9208-06e38e96ca05">
<cybox:Object id=":File-595bb322-0d44-4380-9208-06e38e96ca05">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">d80fc6a4f175e3ab417b9f96c3b37c73</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:24:18+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">None</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Artifacts dropped</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb322-fa5c-4ee1-b354-06e38e96ca05" timestamp="2017-07-04T11:24:18+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Artifacts dropped: 945de4d3a046a698aec222fc90a148ba (MISP Attribute #16410)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">File Hash Watchlist</indicator:Type>
<indicator:Description>Artifacts dropped: 945de4d3a046a698aec222fc90a148ba (MISP Attribute #16410)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb322-fa5c-4ee1-b354-06e38e96ca05">
<cybox:Object id=":File-595bb322-fa5c-4ee1-b354-06e38e96ca05">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">945de4d3a046a698aec222fc90a148ba</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:24:18+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">None</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Artifacts dropped</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb322-7e84-47a6-a022-06e38e96ca05" timestamp="2017-07-04T11:24:18+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Artifacts dropped: 95efa51b52f121cec239980127b7f96b (MISP Attribute #16411)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">File Hash Watchlist</indicator:Type>
<indicator:Description>Artifacts dropped: 95efa51b52f121cec239980127b7f96b (MISP Attribute #16411)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb322-7e84-47a6-a022-06e38e96ca05">
<cybox:Object id=":File-595bb322-7e84-47a6-a022-06e38e96ca05">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">95efa51b52f121cec239980127b7f96b</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:24:18+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">None</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Artifacts dropped</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb322-f1a0-4a70-a9ad-06e38e96ca05" timestamp="2017-07-04T11:24:18+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Artifacts dropped: 13b148aead5e844f7262da768873cec0 (MISP Attribute #16412)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">File Hash Watchlist</indicator:Type>
<indicator:Description>Artifacts dropped: 13b148aead5e844f7262da768873cec0 (MISP Attribute #16412)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb322-f1a0-4a70-a9ad-06e38e96ca05">
<cybox:Object id=":File-595bb322-f1a0-4a70-a9ad-06e38e96ca05">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">13b148aead5e844f7262da768873cec0</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:24:18+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">None</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Artifacts dropped</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb322-dfec-480b-9ec1-06e38e96ca05" timestamp="2017-07-04T11:24:18+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Artifacts dropped: 029ba5f0f6997bc36a094e86848a5b82 (MISP Attribute #16413)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">File Hash Watchlist</indicator:Type>
<indicator:Description>Artifacts dropped: 029ba5f0f6997bc36a094e86848a5b82 (MISP Attribute #16413)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb322-dfec-480b-9ec1-06e38e96ca05">
<cybox:Object id=":File-595bb322-dfec-480b-9ec1-06e38e96ca05">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">029ba5f0f6997bc36a094e86848a5b82</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:24:18+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">None</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Artifacts dropped</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb322-59ac-4310-aa50-06e38e96ca05" timestamp="2017-07-04T11:24:18+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Artifacts dropped: e841ecaa44b3589120b72e60b53f39c6 (MISP Attribute #16414)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">File Hash Watchlist</indicator:Type>
<indicator:Description>Artifacts dropped: e841ecaa44b3589120b72e60b53f39c6 (MISP Attribute #16414)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb322-59ac-4310-aa50-06e38e96ca05">
<cybox:Object id=":File-595bb322-59ac-4310-aa50-06e38e96ca05">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">e841ecaa44b3589120b72e60b53f39c6</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:24:18+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">None</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Artifacts dropped</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb322-4794-4b32-8ad7-06e38e96ca05" timestamp="2017-07-04T11:24:18+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Artifacts dropped: 88e027b1ef7b2da1766e6b6819bba0f0 (MISP Attribute #16415)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">File Hash Watchlist</indicator:Type>
<indicator:Description>Artifacts dropped: 88e027b1ef7b2da1766e6b6819bba0f0 (MISP Attribute #16415)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb322-4794-4b32-8ad7-06e38e96ca05">
<cybox:Object id=":File-595bb322-4794-4b32-8ad7-06e38e96ca05">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">88e027b1ef7b2da1766e6b6819bba0f0</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:24:18+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">None</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Artifacts dropped</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb322-34b4-4c04-a93c-06e38e96ca05" timestamp="2017-07-04T11:24:18+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Artifacts dropped: bb080489dbc98a59cac130475e019fb2 (MISP Attribute #16416)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">File Hash Watchlist</indicator:Type>
<indicator:Description>Artifacts dropped: bb080489dbc98a59cac130475e019fb2 (MISP Attribute #16416)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb322-34b4-4c04-a93c-06e38e96ca05">
<cybox:Object id=":File-595bb322-34b4-4c04-a93c-06e38e96ca05">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">bb080489dbc98a59cac130475e019fb2</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:24:18+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">None</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Artifacts dropped</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb322-a12c-4e3f-b0ee-06e38e96ca05" timestamp="2017-07-04T11:24:18+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Artifacts dropped: 88f43fe753e64d9c536fca16979984ef (MISP Attribute #16417)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">File Hash Watchlist</indicator:Type>
<indicator:Description>Artifacts dropped: 88f43fe753e64d9c536fca16979984ef (MISP Attribute #16417)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb322-a12c-4e3f-b0ee-06e38e96ca05">
<cybox:Object id=":File-595bb322-a12c-4e3f-b0ee-06e38e96ca05">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">88f43fe753e64d9c536fca16979984ef</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:24:18+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">None</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Artifacts dropped</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb322-90a4-47f8-9056-06e38e96ca05" timestamp="2017-07-04T11:24:18+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Artifacts dropped: f282fd20d7eaebe848b5111ecdae82a6 (MISP Attribute #16418)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">File Hash Watchlist</indicator:Type>
<indicator:Description>Artifacts dropped: f282fd20d7eaebe848b5111ecdae82a6 (MISP Attribute #16418)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb322-90a4-47f8-9056-06e38e96ca05">
<cybox:Object id=":File-595bb322-90a4-47f8-9056-06e38e96ca05">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">f282fd20d7eaebe848b5111ecdae82a6</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:24:18+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">None</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Artifacts dropped</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb322-0618-43dc-bd26-06e38e96ca05" timestamp="2017-07-04T11:24:18+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Artifacts dropped: e0338b1f010fdc4751de5f58e4acf2ad (MISP Attribute #16419)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">File Hash Watchlist</indicator:Type>
<indicator:Description>Artifacts dropped: e0338b1f010fdc4751de5f58e4acf2ad (MISP Attribute #16419)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb322-0618-43dc-bd26-06e38e96ca05">
<cybox:Object id=":File-595bb322-0618-43dc-bd26-06e38e96ca05">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">e0338b1f010fdc4751de5f58e4acf2ad</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:24:18+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">None</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Artifacts dropped</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb322-0b70-4d94-873f-06e38e96ca05" timestamp="2017-07-04T11:24:18+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Artifacts dropped: c1dabd54a672cbc2747c53a8041d5602 (MISP Attribute #16420)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">File Hash Watchlist</indicator:Type>
<indicator:Description>Artifacts dropped: c1dabd54a672cbc2747c53a8041d5602 (MISP Attribute #16420)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb322-0b70-4d94-873f-06e38e96ca05">
<cybox:Object id=":File-595bb322-0b70-4d94-873f-06e38e96ca05">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">c1dabd54a672cbc2747c53a8041d5602</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:24:18+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">None</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Artifacts dropped</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb322-897c-4d64-99b1-06e38e96ca05" timestamp="2017-07-04T11:24:18+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Artifacts dropped: 2332aa40d15399179c068ab205a5303d (MISP Attribute #16421)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">File Hash Watchlist</indicator:Type>
<indicator:Description>Artifacts dropped: 2332aa40d15399179c068ab205a5303d (MISP Attribute #16421)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb322-897c-4d64-99b1-06e38e96ca05">
<cybox:Object id=":File-595bb322-897c-4d64-99b1-06e38e96ca05">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">2332aa40d15399179c068ab205a5303d</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:24:18+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">None</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Artifacts dropped</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb322-88f8-4934-93ca-06e38e96ca05" timestamp="2017-07-04T11:24:18+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Artifacts dropped: 4ddf012d8a42ad2666e06ad2f0a8410e (MISP Attribute #16422)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">File Hash Watchlist</indicator:Type>
<indicator:Description>Artifacts dropped: 4ddf012d8a42ad2666e06ad2f0a8410e (MISP Attribute #16422)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb322-88f8-4934-93ca-06e38e96ca05">
<cybox:Object id=":File-595bb322-88f8-4934-93ca-06e38e96ca05">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">4ddf012d8a42ad2666e06ad2f0a8410e</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:24:18+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">None</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Attribution</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb024-550c-4f0e-89b0-06e38e96ca05" timestamp="2017-07-04T11:11:32+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Attribution: aobama_5@yahoo.com (MISP Attribute #16353)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Description>Attribution: aobama_5@yahoo.com (MISP Attribute #16353)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Confidence timestamp="2017-07-04T11:11:32+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">None</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Network activity</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb19a-2bec-4af4-bd28-06e28e96ca05" timestamp="2017-07-04T11:17:46+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Network activity: email23.secuerserver.com (MISP Attribute #16374)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Domain Watchlist</indicator:Type>
<indicator:Description>Network activity: email23.secuerserver.com (MISP Attribute #16374)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb19a-2bec-4af4-bd28-06e28e96ca05">
<cybox:Object id=":DomainName-595bb19a-2bec-4af4-bd28-06e28e96ca05">
<cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
<DomainNameObj:Value condition="Equals">email23.secuerserver.com</DomainNameObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:17:46+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Network activity</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb19a-3be4-4267-9c73-06e28e96ca05" timestamp="2017-07-04T11:17:46+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Network activity: hk.secuerserver.com (MISP Attribute #16375)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Domain Watchlist</indicator:Type>
<indicator:Description>Network activity: hk.secuerserver.com (MISP Attribute #16375)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb19a-3be4-4267-9c73-06e28e96ca05">
<cybox:Object id=":DomainName-595bb19a-3be4-4267-9c73-06e28e96ca05">
<cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
<DomainNameObj:Value condition="Equals">hk.secuerserver.com</DomainNameObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:17:46+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Network activity</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb19a-53fc-4c93-87b1-06e28e96ca05" timestamp="2017-07-04T11:17:46+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Network activity: dns.bowenpress.org (MISP Attribute #16376)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Domain Watchlist</indicator:Type>
<indicator:Description>Network activity: dns.bowenpress.org (MISP Attribute #16376)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb19a-53fc-4c93-87b1-06e28e96ca05">
<cybox:Object id=":DomainName-595bb19a-53fc-4c93-87b1-06e28e96ca05">
<cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
<DomainNameObj:Value condition="Equals">dns.bowenpress.org</DomainNameObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:17:46+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb071-226c-4930-9b42-06e28e96ca05" timestamp="2017-07-04T11:12:49+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: secuerserver.com (MISP Attribute #16354)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Domain Watchlist</indicator:Type>
<indicator:Description>Payload delivery: secuerserver.com (MISP Attribute #16354)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb071-226c-4930-9b42-06e28e96ca05">
<cybox:Object id=":DomainName-595bb071-226c-4930-9b42-06e28e96ca05">
<cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
<DomainNameObj:Value condition="Equals">secuerserver.com</DomainNameObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:12:49+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb071-d1e8-4cde-9c68-06e28e96ca05" timestamp="2017-07-04T11:12:49+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: bowenpres.com (MISP Attribute #16355)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Domain Watchlist</indicator:Type>
<indicator:Description>Payload delivery: bowenpres.com (MISP Attribute #16355)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb071-d1e8-4cde-9c68-06e28e96ca05">
<cybox:Object id=":DomainName-595bb071-d1e8-4cde-9c68-06e28e96ca05">
<cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
<DomainNameObj:Value condition="Equals">bowenpres.com</DomainNameObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:12:49+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb071-3318-40b2-945f-06e28e96ca05" timestamp="2017-07-04T11:12:49+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: bowenpress.net (MISP Attribute #16356)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Domain Watchlist</indicator:Type>
<indicator:Description>Payload delivery: bowenpress.net (MISP Attribute #16356)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb071-3318-40b2-945f-06e28e96ca05">
<cybox:Object id=":DomainName-595bb071-3318-40b2-945f-06e28e96ca05">
<cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
<DomainNameObj:Value condition="Equals">bowenpress.net</DomainNameObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:12:49+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb071-3d20-4589-9055-06e28e96ca05" timestamp="2017-07-04T11:12:49+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: bowenpress.org (MISP Attribute #16357)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Domain Watchlist</indicator:Type>
<indicator:Description>Payload delivery: bowenpress.org (MISP Attribute #16357)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb071-3d20-4589-9055-06e28e96ca05">
<cybox:Object id=":DomainName-595bb071-3d20-4589-9055-06e28e96ca05">
<cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
<DomainNameObj:Value condition="Equals">bowenpress.org</DomainNameObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:12:49+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb071-c44c-45ce-b8b4-06e28e96ca05" timestamp="2017-07-04T11:12:49+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: bowenpross.com (MISP Attribute #16358)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Domain Watchlist</indicator:Type>
<indicator:Description>Payload delivery: bowenpross.com (MISP Attribute #16358)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb071-c44c-45ce-b8b4-06e28e96ca05">
<cybox:Object id=":DomainName-595bb071-c44c-45ce-b8b4-06e28e96ca05">
<cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
<DomainNameObj:Value condition="Equals">bowenpross.com</DomainNameObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:12:49+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb071-b9e0-4f44-a56e-06e28e96ca05" timestamp="2017-07-04T11:12:49+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: datalink.one (MISP Attribute #16359)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Domain Watchlist</indicator:Type>
<indicator:Description>Payload delivery: datalink.one (MISP Attribute #16359)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb071-b9e0-4f44-a56e-06e28e96ca05">
<cybox:Object id=":DomainName-595bb071-b9e0-4f44-a56e-06e28e96ca05">
<cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
<DomainNameObj:Value condition="Equals">datalink.one</DomainNameObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:12:49+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb071-dcec-4872-ad35-06e28e96ca05" timestamp="2017-07-04T11:12:49+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: epochatimes.com (MISP Attribute #16360)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Domain Watchlist</indicator:Type>
<indicator:Description>Payload delivery: epochatimes.com (MISP Attribute #16360)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb071-dcec-4872-ad35-06e28e96ca05">
<cybox:Object id=":DomainName-595bb071-dcec-4872-ad35-06e28e96ca05">
<cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
<DomainNameObj:Value condition="Equals">epochatimes.com</DomainNameObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:12:49+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb0af-5a40-459c-a05d-06e38e96ca05" timestamp="2017-07-04T11:13:51+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: get.adobe.com.bowenpress.org (MISP Attribute #16361)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Domain Watchlist</indicator:Type>
<indicator:Description>Payload delivery: get.adobe.com.bowenpress.org (MISP Attribute #16361)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb0af-5a40-459c-a05d-06e38e96ca05">
<cybox:Object id=":DomainName-595bb0af-5a40-459c-a05d-06e38e96ca05">
<cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
<DomainNameObj:Value condition="Equals">get.adobe.com.bowenpress.org</DomainNameObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:13:51+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb0af-9bd4-4f6e-b2fa-06e38e96ca05" timestamp="2017-07-04T11:13:51+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: hk.secuerserver.com (MISP Attribute #16362)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Domain Watchlist</indicator:Type>
<indicator:Description>Payload delivery: hk.secuerserver.com (MISP Attribute #16362)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb0af-9bd4-4f6e-b2fa-06e38e96ca05">
<cybox:Object id=":DomainName-595bb0af-9bd4-4f6e-b2fa-06e38e96ca05">
<cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
<DomainNameObj:Value condition="Equals">hk.secuerserver.com</DomainNameObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:13:51+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb0af-c4b8-4124-a2b5-06e38e96ca05" timestamp="2017-07-04T11:13:51+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: pop.secuerserver.com (MISP Attribute #16363)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Domain Watchlist</indicator:Type>
<indicator:Description>Payload delivery: pop.secuerserver.com (MISP Attribute #16363)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb0af-c4b8-4124-a2b5-06e38e96ca05">
<cybox:Object id=":DomainName-595bb0af-c4b8-4124-a2b5-06e38e96ca05">
<cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
<DomainNameObj:Value condition="Equals">pop.secuerserver.com</DomainNameObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:13:51+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb0af-3930-4285-9fdd-06e38e96ca05" timestamp="2017-07-04T11:13:51+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: smtpout.secuerserver.com (MISP Attribute #16364)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Domain Watchlist</indicator:Type>
<indicator:Description>Payload delivery: smtpout.secuerserver.com (MISP Attribute #16364)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb0af-3930-4285-9fdd-06e38e96ca05">
<cybox:Object id=":DomainName-595bb0af-3930-4285-9fdd-06e38e96ca05">
<cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
<DomainNameObj:Value condition="Equals">smtpout.secuerserver.com</DomainNameObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:13:51+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb0af-e108-4480-aa27-06e38e96ca05" timestamp="2017-07-04T11:13:51+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: www.bowenpress.org (MISP Attribute #16365)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Domain Watchlist</indicator:Type>
<indicator:Description>Payload delivery: www.bowenpress.org (MISP Attribute #16365)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb0af-e108-4480-aa27-06e38e96ca05">
<cybox:Object id=":DomainName-595bb0af-e108-4480-aa27-06e38e96ca05">
<cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
<DomainNameObj:Value condition="Equals">www.bowenpress.org</DomainNameObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:13:51+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb0af-9c98-4021-9af7-06e38e96ca05" timestamp="2017-07-04T11:13:51+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: www.mail.secuerserver.com (MISP Attribute #16366)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Domain Watchlist</indicator:Type>
<indicator:Description>Payload delivery: www.mail.secuerserver.com (MISP Attribute #16366)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb0af-9c98-4021-9af7-06e38e96ca05">
<cybox:Object id=":DomainName-595bb0af-9c98-4021-9af7-06e38e96ca05">
<cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
<DomainNameObj:Value condition="Equals">www.mail.secuerserver.com</DomainNameObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:13:51+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb0af-a424-469a-9a7f-06e38e96ca05" timestamp="2017-07-04T11:13:51+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: www.secuerserver.com (MISP Attribute #16367)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Domain Watchlist</indicator:Type>
<indicator:Description>Payload delivery: www.secuerserver.com (MISP Attribute #16367)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb0af-a424-469a-9a7f-06e38e96ca05">
<cybox:Object id=":DomainName-595bb0af-a424-469a-9a7f-06e38e96ca05">
<cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
<DomainNameObj:Value condition="Equals">www.secuerserver.com</DomainNameObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:13:51+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb0af-4794-4d7f-ba4c-06e38e96ca05" timestamp="2017-07-04T11:13:51+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: www.vnews.hk (MISP Attribute #16368)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Domain Watchlist</indicator:Type>
<indicator:Description>Payload delivery: www.vnews.hk (MISP Attribute #16368)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb0af-4794-4d7f-ba4c-06e38e96ca05">
<cybox:Object id=":DomainName-595bb0af-4794-4d7f-ba4c-06e38e96ca05">
<cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
<DomainNameObj:Value condition="Equals">www.vnews.hk</DomainNameObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:13:51+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595baf52-7340-4840-bda0-06e38e96ca05" timestamp="2017-07-04T11:08:02+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: hellomice@mail.com (MISP Attribute #16348)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malicious E-mail</indicator:Type>
<indicator:Description>Payload delivery: hellomice@mail.com (MISP Attribute #16348)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595baf52-7340-4840-bda0-06e38e96ca05">
<cybox:Object id=":EmailMessage-595baf52-7340-4840-bda0-06e38e96ca05">
<cybox:Properties xsi:type="EmailMessageObj:EmailMessageObjectType">
<EmailMessageObj:Header>
<EmailMessageObj:From xsi:type="AddressObj:AddressObjectType" category="e-mail">
<AddressObj:Address_Value condition="Equals">hellomice@mail.com</AddressObj:Address_Value>
</EmailMessageObj:From>
</EmailMessageObj:Header>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:08:02+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">None</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595baf52-2a08-4576-9f76-06e38e96ca05" timestamp="2017-07-04T11:08:02+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: aisia.anminda8@mail.com (MISP Attribute #16349)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malicious E-mail</indicator:Type>
<indicator:Description>Payload delivery: aisia.anminda8@mail.com (MISP Attribute #16349)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595baf52-2a08-4576-9f76-06e38e96ca05">
<cybox:Object id=":EmailMessage-595baf52-2a08-4576-9f76-06e38e96ca05">
<cybox:Properties xsi:type="EmailMessageObj:EmailMessageObjectType">
<EmailMessageObj:Header>
<EmailMessageObj:From xsi:type="AddressObj:AddressObjectType" category="e-mail">
<AddressObj:Address_Value condition="Equals">aisia.anminda8@mail.com</AddressObj:Address_Value>
</EmailMessageObj:From>
</EmailMessageObj:Header>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:08:02+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">None</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb286-ee4c-4c91-91b9-06e38e96ca05" timestamp="2017-07-04T11:21:42+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: 45.124.24.39 (MISP Attribute #16405)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">IP Watchlist</indicator:Type>
<indicator:Description>Payload delivery: 45.124.24.39 (MISP Attribute #16405)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb286-ee4c-4c91-91b9-06e38e96ca05">
<cybox:Object id=":Address-595bb286-ee4c-4c91-91b9-06e38e96ca05">
<cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr" is_source="true">
<AddressObj:Address_Value condition="Equals">45.124.24.39</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:21:42+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb2d6-70e0-4d6d-bdc7-06e28e96ca05" timestamp="2017-07-04T11:23:02+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: 23.239.106.119 (MISP Attribute #16406)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">IP Watchlist</indicator:Type>
<indicator:Description>Payload delivery: 23.239.106.119 (MISP Attribute #16406)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb2d6-70e0-4d6d-bdc7-06e28e96ca05">
<cybox:Object id=":Address-595bb2d6-70e0-4d6d-bdc7-06e28e96ca05">
<cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr" is_source="true">
<AddressObj:Address_Value condition="Equals">23.239.106.119</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:23:02+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bafe1-e518-4bfb-9701-06e28e96ca05" timestamp="2017-07-04T11:10:44+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: 43.240.14.37 (MISP Attribute #16352)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">IP Watchlist</indicator:Type>
<indicator:Description>Payload delivery: 43.240.14.37 (MISP Attribute #16352)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bafe1-e518-4bfb-9701-06e28e96ca05">
<cybox:Object id=":Address-595bafe1-e518-4bfb-9701-06e28e96ca05">
<cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr" is_source="true">
<AddressObj:Address_Value condition="Equals">43.240.14.37</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:10:44+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595baf7a-6598-4ecc-ba74-06e28e96ca05" timestamp="2017-07-04T11:08:42+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: http://43.240.14.37/asdasdasadqddd12222111.php/article.asp (MISP Attribute #16350)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">URL Watchlist</indicator:Type>
<indicator:Description>Payload delivery: http://43.240.14.37/asdasdasadqddd12222111.php/article.asp (MISP Attribute #16350)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595baf7a-6598-4ecc-ba74-06e28e96ca05">
<cybox:Object id=":URI-595baf7a-6598-4ecc-ba74-06e28e96ca05">
<cybox:Properties xsi:type="URIObj:URIObjectType">
<URIObj:Value condition="Equals">http://43.240.14.37/asdasdasadqddd12222111.php/article.asp</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:08:42+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bafa7-2d34-43d7-87a1-06e38e96ca05" timestamp="2017-07-04T11:09:48+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: http://chinadagitaltimes.net/2016/07/chinese-hackers-blamed-multiple-breaches-fdic (MISP Attribute #16351)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">URL Watchlist</indicator:Type>
<indicator:Description>Payload delivery: http://chinadagitaltimes.net/2016/07/chinese-hackers-blamed-multiple-breaches-fdic (MISP Attribute #16351)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bafa7-2d34-43d7-87a1-06e38e96ca05">
<cybox:Object id=":URI-595bafa7-2d34-43d7-87a1-06e38e96ca05">
<cybox:Properties xsi:type="URIObj:URIObjectType">
<URIObj:Value condition="Equals">http://chinadagitaltimes.net/2016/07/chinese-hackers-blamed-multiple-breaches-fdic</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:09:48+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb0cc-f258-491f-afcd-06e28e96ca05" timestamp="2017-07-04T11:14:20+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: http://get.adobe.com.bowenpress.org/Adobe/update/20161201/AdobeUpdate.html (MISP Attribute #16369)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">URL Watchlist</indicator:Type>
<indicator:Description>Payload delivery: http://get.adobe.com.bowenpress.org/Adobe/update/20161201/AdobeUpdate.html (MISP Attribute #16369)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb0cc-f258-491f-afcd-06e28e96ca05">
<cybox:Object id=":URI-595bb0cc-f258-491f-afcd-06e28e96ca05">
<cybox:Properties xsi:type="URIObj:URIObjectType">
<URIObj:Value condition="Equals">http://get.adobe.com.bowenpress.org/Adobe/update/20161201/AdobeUpdate.html</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:14:20+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb15f-dc68-4468-9572-06e38e96ca05" timestamp="2017-07-04T11:16:47+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: http://get.adobe.com.bowenpress.org/Adobe/update/20160703/AdobeUpdate20160703.exe (MISP Attribute #16370)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">URL Watchlist</indicator:Type>
<indicator:Description>Payload delivery: http://get.adobe.com.bowenpress.org/Adobe/update/20160703/AdobeUpdate20160703.exe (MISP Attribute #16370)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb15f-dc68-4468-9572-06e38e96ca05">
<cybox:Object id=":URI-595bb15f-dc68-4468-9572-06e38e96ca05">
<cybox:Properties xsi:type="URIObj:URIObjectType">
<URIObj:Value condition="Equals">http://get.adobe.com.bowenpress.org/Adobe/update/20160703/AdobeUpdate20160703.exe</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:16:47+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb15f-d000-400a-b7a9-06e38e96ca05" timestamp="2017-07-04T11:16:47+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: http://get.adobe.com.bowenpress.org/Adobe/update/20160812/AdobeUpdate20160812.exe (MISP Attribute #16371)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">URL Watchlist</indicator:Type>
<indicator:Description>Payload delivery: http://get.adobe.com.bowenpress.org/Adobe/update/20160812/AdobeUpdate20160812.exe (MISP Attribute #16371)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb15f-d000-400a-b7a9-06e38e96ca05">
<cybox:Object id=":URI-595bb15f-d000-400a-b7a9-06e38e96ca05">
<cybox:Properties xsi:type="URIObj:URIObjectType">
<URIObj:Value condition="Equals">http://get.adobe.com.bowenpress.org/Adobe/update/20160812/AdobeUpdate20160812.exe</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:16:47+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb15f-4a08-4a4a-9ff5-06e38e96ca05" timestamp="2017-07-04T11:16:47+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: http://get.adobe.com.bowenpress.org/Adobe/update/20161201/AdobeUpdate20161201.exe (MISP Attribute #16372)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">URL Watchlist</indicator:Type>
<indicator:Description>Payload delivery: http://get.adobe.com.bowenpress.org/Adobe/update/20161201/AdobeUpdate20161201.exe (MISP Attribute #16372)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb15f-4a08-4a4a-9ff5-06e38e96ca05">
<cybox:Object id=":URI-595bb15f-4a08-4a4a-9ff5-06e38e96ca05">
<cybox:Properties xsi:type="URIObj:URIObjectType">
<URIObj:Value condition="Equals">http://get.adobe.com.bowenpress.org/Adobe/update/20161201/AdobeUpdate20161201.exe</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:16:47+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Indicator id=":indicator-595bb15f-8488-4a3b-abea-06e38e96ca05" timestamp="2017-07-04T11:16:47+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Payload delivery: http://get.adobe.com.bowenpress.org/Adobe/update/20170312/AdobeUpdate20170312.exe (MISP Attribute #16373)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">URL Watchlist</indicator:Type>
<indicator:Description>Payload delivery: http://get.adobe.com.bowenpress.org/Adobe/update/20170312/AdobeUpdate20170312.exe (MISP Attribute #16373)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id=":observable-595bb15f-8488-4a3b-abea-06e38e96ca05">
<cybox:Object id=":URI-595bb15f-8488-4a3b-abea-06e38e96ca05">
<cybox:Properties xsi:type="URIObj:URIObjectType">
<URIObj:Value condition="Equals">http://get.adobe.com.bowenpress.org/Adobe/update/20170312/AdobeUpdate20170312.exe</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2017-07-04T11:16:47+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
<stixCommon:Description>Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none</stixCommon:Description>
</indicator:Confidence>
</stixCommon:Indicator>
</incident:Related_Indicator>
</incident:Related_Indicators>
<incident:History>
<incident:History_Item>
<incident:Journal_Entry time_precision="second">Event Threat Level: High</incident:Journal_Entry>
</incident:History_Item>
<incident:History_Item>
<incident:Journal_Entry time_precision="second">MISP Tag: TLP:GREEN</incident:Journal_Entry>
</incident:History_Item>
<incident:History_Item>
<incident:Journal_Entry time_precision="second">MISP Tag: SOURCE:CITIZENLAB</incident:Journal_Entry>
</incident:History_Item>
<incident:History_Item>
<incident:Journal_Entry time_precision="second">MISP Tag: DETECT</incident:Journal_Entry>
</incident:History_Item>
<incident:History_Item>
<incident:Journal_Entry time_precision="second">MISP Tag: TARGET:HONGKONG</incident:Journal_Entry>
</incident:History_Item>
</incident:History>
<incident:Information_Source>
<stixCommon:Identity>
<stixCommon:Name>citizenlab</stixCommon:Name>
</stixCommon:Identity>
</incident:Information_Source>
<incident:Handling>
<marking:Marking>
<marking:Controlled_Structure>../../../descendant-or-self::node()</marking:Controlled_Structure>
<marking:Marking_Structure xsi:type='tlpMarking:TLPMarkingStructureType' color="GREEN"/>
</marking:Marking>
</incident:Handling>
</stix:Incident>
</stix:Incidents>
</stix:Package>
</stix:Related_Package>
</stix:Related_Packages>
</stix:STIX_Package>