This section contains examples of STIX files with investigation results for a hash, IP address, domain, and web address.
This format is not available for exporting investigation results for reserved IP addresses.
By default, the format of the file name is as follows: <request type>_<request>_stix.xml
Here:
<request type>—The type of object that you export investigation results for.Possible values include:
MD5—If hash investigation results are exported.IP—If IP address investigation results are exported.DOMAIN—If domain investigation results are exported.URL—If web address investigation results are exported.<request> is the object that you export investigation results for.For domains and web address, a domain / web address UUID hash in hex format is used.
You can change the file name if necessary.
If you export investigation results for the domain ddns.net, the STIX file will have the following name by default:
DOMAIN_852808bf99be59a2902e089e26d5976a_stix.xml
STIX for a hash
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may return for the hash 495DB359D61411F0688211C8DD473CB7 in STIX format.
Data and ratings are updated dynamically. The data displayed in this example may differ from the data for the same object requested at a later time.
MD5_495DB359D61411F0688211C8DD473CB7_stix.xml
<stix:STIX_Package xmlns:KTL="http://ktl.kaspersky.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:stix="http://stix.mitre.org/stix-1" xmlns:stixCommon="http://stix.mitre.org/common-1" xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2" xmlns:URIObj="http://cybox.mitre.org/objects#URIObject-2" xmlns:cybox="http://cybox.mitre.org/cybox-2" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:indicator="https://oasis-open.github.io/cti-documentation/" xmlns:ttp="https://oasis-open.github.io/cti-documentation/" xmlns:WhoisObj="http://cybox.mitre.org/objects#WhoisObject-2" xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2" id="KL_Botnet_Tracking:Package-09e55e6b-8e51-43db-a14a-01dce3c3f64d" version="1.2">
<stix:STIX_Header>
<stix:Title>HASH LOOKUP</stix:Title>
<stix:Description>Information about lookup HASH 495DB359D61411F0688211C8DD473CB7</stix:Description>
</stix:STIX_Header>
<stix:Observables cybox_major_version="1" cybox_minor_version="1">
<cybox:Observable id="KTL:Observable-6be4fae3-d355-42e3-8795-0aafa8ea8af5">
<cybox:Description>ZONE="Yellow" HITS="1000000" FIRST_SEEN="29.05.2014" LAST_SEEN="08.11.2016" DETECTION_NAMES="not-a-virus:Downloader.Win32.Agent.cugr"</cybox:Description>
<cybox:Object id="KTL:object-5607310f-82ac-5849-90c8-31526166c01e">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File is_packed="true">
<FileObj:File_Extension>PE</FileObj:File_Extension>
<FileObj:Size_In_Bytes>3702320</FileObj:Size_In_Bytes>
</FileObj:File>
<FileObj:Digital_Signatures>
<cyboxCommon:Digital_Signature signature_exists="true" signature_verified="false">
<cyboxCommon:Certificate_Description>iTVA LLC</cyboxCommon:Certificate_Description>
</cyboxCommon:Digital_Signature>
</FileObj:Digital_Signatures>
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">495DB359D61411F0688211C8DD473CB7</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA1</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">CAD7296F99733E209CE57422F348A8698245CBD5</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">12FF1AE06AC3ACA95969B2D338A24D47DF80D7B70521BD7DB801B715DB629420</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</stix:Observables>
<stix:Indicators>
<stix:Indicator id="KTL:indicator-0390d2b2-0454-50fa-bd7e-76f6eaf7b783">
<indicator:Title>File paths</indicator:Title>
<indicator:Related_Observables>
<cybox:Observable id="KTL:Observable-f1fe37d1-2a62-526e-950e-a2d90db33864">
<cybox:Description>HITS="1000000"</cybox:Description>
<cybox:Object id="KTL:object-4ee3a9e3-817c-5566-8048-d1f8245165ac">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:File_Path fully_qualified="false">itva\lovivkontakte2</FileObj:File_Path>
<FileObj:Device_Path>ProgramFiles</FileObj:Device_Path>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-423aac92-69b1-594f-b021-113fcbae1742">
<cybox:Description>HITS="1000000"</cybox:Description>
<cybox:Object id="KTL:object-35e03985-c6cb-599c-a8d7-c35ee3a01033">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:File_Path fully_qualified="false">lovivk</FileObj:File_Path>
<FileObj:Device_Path>ProgramFiles</FileObj:Device_Path>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-f7c29a0f-e650-510d-a9ea-4e75512cbadd">
<cybox:Description>HITS="10000"</cybox:Description>
<cybox:Object id="KTL:object-4ee3a9e3-817c-5566-8048-d1f8245165ac">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:File_Path fully_qualified="false">itva\lovivkontakte2</FileObj:File_Path>
<FileObj:Device_Path>ProgramFiles</FileObj:Device_Path>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-1cf62ef0-e266-592d-aea8-1c157dd1890c">
<cybox:Description>HITS="1000"</cybox:Description>
<cybox:Object id="KTL:object-35e03985-c6cb-599c-a8d7-c35ee3a01033">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:File_Path fully_qualified="false">lovivk</FileObj:File_Path>
<FileObj:Device_Path>ProgramFiles</FileObj:Device_Path>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-2bdab6e0-a20b-585c-826c-be41b83ce249">
<cybox:Description>HITS="100"</cybox:Description>
<cybox:Object id="KTL:object-c4cd4595-b34f-5ebd-9125-0b9fdc2d3d74">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:File_Path fully_qualified="false">system volume information\_restore{8d816860-50be-4aed-b133-e43e1df90217}\rp115</FileObj:File_Path>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-f93493b3-c59f-51e1-b614-a6b702566b3f">
<cybox:Description>HITS="100"</cybox:Description>
<cybox:Object id="KTL:object-3aa80a01-40ab-59c5-a971-061193a7d134">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:File_Path fully_qualified="false">system volume information\_restore{8d816860-50be-4aed-b133-e43e1df90217}\rp113</FileObj:File_Path>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observables>
</stix:Indicator>
<stix:Indicator id="KTL:indicator-9901368e-338b-5fec-ad0a-185b672fb271">
<indicator:Title>File names</indicator:Title>
<indicator:Related_Observables>
<cybox:Observable id="KTL:Observable-5049756c-3d27-565d-9fe1-4a5668ad6ef5">
<cybox:Description>HITS="1000000"</cybox:Description>
<cybox:Object id="KTL:object-d744a9e8-9f30-59a0-aca1-e0f00ffe4b5b">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:File_Name>lvk2.exe</FileObj:File_Name>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-cd60b5bc-c0a2-5e43-9897-b6ebb2577d14">
<cybox:Description>HITS="100"</cybox:Description>
<cybox:Object id="KTL:object-af970d9e-b5f9-5ae2-81d3-5ebef78b63cf">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:File_Name>a0040146.exe</FileObj:File_Name>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-731d9bda-c427-5c1a-b86e-4121b3f05d34">
<cybox:Description>HITS="100"</cybox:Description>
<cybox:Object id="KTL:object-1cf19365-1b8e-5dbe-99d6-ed94783855a7">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:File_Name>a0004589.exe</FileObj:File_Name>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-097928ae-5424-57e9-9fba-8f9830842d6c">
<cybox:Description>HITS="100"</cybox:Description>
<cybox:Object id="KTL:object-2cc36f03-8207-55e2-9ed6-4b927a043c4b">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:File_Name>updater.exe</FileObj:File_Name>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observables>
</stix:Indicator>
<stix:Indicator id="KTL:indicator-2f648dfb-35e8-56bb-9d69-fe968b7dee9e">
<indicator:Title>File downloaded from URLs and domains</indicator:Title>
<indicator:Related_Observables>
<cybox:Observable id="KTL:Observable-df04c1da-0db3-5f6a-a397-17361d8ca828">
<cybox:Description>ZONE="Red" LAST_DOWNLOADED="29.04.2016" IP_COUNT="1"</cybox:Description>
<cybox:Observable_Composition operator="AND">
<cybox:Observable id="KTL:Observable-7e122afb-6820-53bd-ac1f-d976c98983eb">
<cybox:Object id="KTL:URI-7e122afb-6820-53bd-ac1f-d976c98983eb">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">upconfusepat.ru/3e122e2dd79b0dcab9df0e4c6d3d238f/625819-book</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-2e48404f-254e-5293-b99c-b3d48a350e6b">
<cybox:Object id="KTL:URI-2e48404f-254e-5293-b99c-b3d48a350e6b">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="Domain Name">
<URIObj:Value condition="Equals">upconfusepat.ru</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</cybox:Observable_Composition>
</cybox:Observable>
</indicator:Related_Observables>
</stix:Indicator>
<stix:Indicator id="KTL:indicator-70fb0b4a-a5a4-5782-961f-c18fe7ecee73">
<indicator:Title>File started following objects</indicator:Title>
<indicator:Related_Observables>
<cybox:Observable id="KTL:Observable-2791e879-a8b1-5741-8ef9-5af2b11ee9a4">
<cybox:Description>HITS="10" ZONE="Red" LAST_STARTED="10.07.2014" DETECTION_NAME="Virus.Win32.Neshta.a"</cybox:Description>
<cybox:Object id="KTL:object-8becd1bd-e8ae-5712-a271-bc126a467e15">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">91677B76C4FC52F26097B61E74F5D01B</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
<FileObj:File_Name>svchost.com</FileObj:File_Name>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-7dfc9e1d-15b9-599b-9131-bc65f5ef4bca">
<cybox:Description>HITS="10" ZONE="Yellow" LAST_STARTED="04.04.2016" DETECTION_NAME="not-a-virus:Downloader.Win32.Agent.cugr"</cybox:Description>
<cybox:Object id="KTL:object-6c262a1a-fd7c-5d9c-8ae8-32f4b2dbcca5">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">495DB359D61411F0688211C8DD473CB7</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
<FileObj:Device_Path>ProgramFiles</FileObj:Device_Path>
<FileObj:File_Path fully_qualified="false">itva\lovivkontakte2</FileObj:File_Path>
<FileObj:File_Name>lvk2.exe</FileObj:File_Name>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-19b447ad-cafa-522b-81bd-f72866a2e2ed">
<cybox:Description>HITS="10000" ZONE="Grey" LAST_STARTED="08.11.2016" DETECTION_NAME="PDM:P2P-Worm.Win32.Generic"</cybox:Description>
<cybox:Object id="KTL:object-4d4c5977-5001-5d75-9b35-ab1671fb98d9">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">88D076275DBF770406A232DBFF5F9AAE</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
<FileObj:Device_Path>ProgramFiles</FileObj:Device_Path>
<FileObj:File_Path fully_qualified="false">screen capture</FileObj:File_Path>
<FileObj:File_Name>updater.exe</FileObj:File_Name>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-fa806ccf-803a-50cc-8660-a986984587be">
<cybox:Description>HITS="10" ZONE="Grey" LAST_STARTED="23.02.2016" DETECTION_NAME="not-a-virus:BSS:WebToolbar.Win32.Rubar.b"</cybox:Description>
<cybox:Object id="KTL:object-29e69ee3-46b3-5e06-857c-fa45ebc43d7c">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">5B817FC229E661786D01331274868C94</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
<FileObj:Device_Path>ProgramFiles</FileObj:Device_Path>
<FileObj:File_Path fully_qualified="false">lovivkontakte</FileObj:File_Path>
<FileObj:File_Name>unins000.exe</FileObj:File_Name>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observables>
</stix:Indicator>
</stix:Indicators>
<stix:TTPs>
<stix:TTP xsi:type="ttp:TTPType" id="KTL:ttp-789f87ea-a68f-445f-8a96-d5ee2aa7598c" timestamp="2016-11-08T04:40Z">
<ttp:Title>LOOKUP_HASH</ttp:Title>
<ttp:Resources>
<ttp:Infrastructure>
<ttp:Observable_Characterization cybox_major_version="2" cybox_minor_version="1">
<cybox:Observable idref="KTL:observable-6be4fae3-d355-42e3-8795-0aafa8ea8af5" />
</ttp:Observable_Characterization>
</ttp:Infrastructure>
</ttp:Resources>
</stix:TTP>
</stix:TTPs>
</stix:STIX_Package>
STIX for an IP address
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may return for the IP address 195.175.254.2 in STIX format.
Data and ratings are updated dynamically. The data displayed in this example may differ from the data for the same object requested at a later time.
IP_195.175.254.2_stix.xml
<stix:STIX_Package xmlns:KTL="http://ktl.kaspersky.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:stix="http://stix.mitre.org/stix-1" xmlns:stixCommon="http://stix.mitre.org/common-1" xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2" xmlns:URIObj="http://cybox.mitre.org/objects#URIObject-2" xmlns:cybox="http://cybox.mitre.org/cybox-2" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:indicator="http://stix.mitre.org/Indicator-2" xmlns:ttp="https://oasis-open.github.io/cti-documentation/" xmlns:WhoisObj="http://cybox.mitre.org/objects#WhoisObject-2" xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2" id="KL_Botnet_Tracking:Package-8cf6606e-0510-4c3c-9065-8150e53252ea" version="1.2">
<stix:STIX_Header>
<stix:Title>IP LOOKUP</stix:Title>
<stix:Description>Information about lookup IP 195.175.254.2</stix:Description>
</stix:STIX_Header>
<stix:Observables cybox_major_version="1" cybox_minor_version="1">
<cybox:Observable id="KTL:Observable-b87283c7-fa74-4c25-aac9-d19abbe72871">
<cybox:Description>ZONE="Green" FIRST_SEEN="03.06.2014" THREAT_SCORE="0" HITS="100000"</cybox:Description>
<cybox:Object id="KTL:object-8f070cfa-16c4-5833-ac7e-be5cf56efe5b">
<cybox:Properties xsi:type="WhoisObj:WhoisObjectType">
<URIObj:Whois_Entry>
<URIObj:Contact_Info>
<URIObj:Name>Turk Telekomunikasyon Anonim Sirketi</URIObj:Name>
</URIObj:Contact_Info>
<URIObj:Creation_Date>2002-06-12T12:00Z</URIObj:Creation_Date>
<WhoisObj:Remarks>ASN="9121" AS_DESCRIPTION="TTnetTurkTelekom" NETWORK_NAME="TR-TELEKOM-960902" NETWORK_RANGE="195.174.0.0-195.175.255.255" NETWORK_DESCRIPTION="Turk Telekomunikasyon Anonim Sirketi"</WhoisObj:Remarks>
<URIObj:IP_Address>
<AddressObj:Address category="ipv4-addr">
<AddressObj:Address_Value>195.175.254.2</AddressObj:Address_Value>
</AddressObj:Address>
</URIObj:IP_Address>
</URIObj:Whois_Entry>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</stix:Observables>
<stix:Indicators>
<stix:Indicator id="KTL:indicator-0b00eab7-9147-5066-97b8-148e70c56282">
<indicator:Title>IpPdnsDomains</indicator:Title>
<indicator:Related_Observables>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-f1efdbc9-7105-5174-a6e5-a0e39a97bf6f">
<cybox:Description>ZONE="Grey" HITS="10000" FIRST_SEEN="06.11.2014" LAST_SEEN="08.11.2016" PEAK_DATE="02.03.2016" PEAK_HITS="100"</cybox:Description>
<cybox:Object id="KTL:URI-928ccb8e-50f5-5369-8000-545e9b8276b6">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">?.tumblr.com</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-be3fe8bd-e143-5f0f-b0d8-8b47188a037b">
<cybox:Description>ZONE="Grey" HITS="100" FIRST_SEEN="13.10.2016" LAST_SEEN="08.11.2016" PEAK_DATE="22.10.2016" PEAK_HITS="10"</cybox:Description>
<cybox:Object id="KTL:URI-5c1454a6-8d00-513f-b1da-601ac95aaca1">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">xtubehd.org</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-23533db5-3d3a-56aa-aa3e-4eba009d612e">
<cybox:Description>ZONE="Grey" HITS="100" FIRST_SEEN="03.11.2016" LAST_SEEN="08.11.2016" PEAK_DATE="05.11.2016" PEAK_HITS="10"</cybox:Description>
<cybox:Object id="KTL:URI-2a95cb26-9958-56fb-b4a2-054f9d16f77d">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">perinatalmedicine2015.org</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-b4def839-0139-5ae4-9b72-ccb32e682cb4">
<cybox:Description>ZONE="Grey" HITS="100" FIRST_SEEN="07.09.2016" LAST_SEEN="08.11.2016" PEAK_DATE="01.10.2016" PEAK_HITS="10"</cybox:Description>
<cybox:Object id="KTL:URI-14a08633-2ae1-5f15-8f4e-fbbc233de658">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">unlimiteddamage.com</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
</indicator:Related_Observables>
</stix:Indicator>
<stix:Indicator id="KTL:indicator-8b0d7e8d-061c-54c6-a95b-6446d1b5b80c">
<indicator:Title>Files downloaded from IP address</indicator:Title>
<indicator:Related_Observables>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-59d878fb-dac8-47ec-bbba-cac588fc6663">
<cybox:Description>ZONE="Red" FIRST_SEEN="09.10.2016" LAST_SEEN="09.10.2016" HITS="10" DETECTION_NAME="Trojan.JS.FBook.ab"</cybox:Description>
<cybox:Observable_Composition operator="AND">
<cybox:Observable id="KTL:Observable-7aeb8e41-9f0f-4dcd-9b51-be4110b6866c">
<cybox:Object id="KL_DATA_FEED:File-202848b6-c89c-0824-75cd-cbb05ea6cf92">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">B64828209CC8240875CDCBB05EA6CF92</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>B64828209CC8240875CDCBB05EA6CF92</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-b17c86a0-f236-4de0-a2c4-83c96798c06b">
<cybox:Object id="KTL:URI-987568f4-55e0-5ed0-a0d8-fd1abb760fe3">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">cinselkameralisohbet.com/like.js</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</cybox:Observable_Composition>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-7b4acefb-2caa-4a89-9126-47ebceb21e81">
<cybox:Description>ZONE="Red" FIRST_SEEN="06.07.2016" LAST_SEEN="06.07.2016" HITS="10" DETECTION_NAME="HEUR:Trojan.Script.Generic"</cybox:Description>
<cybox:Observable_Composition operator="AND">
<cybox:Observable id="KTL:Observable-8e88ceda-be05-412f-9862-86f407127282">
<cybox:Object id="KL_DATA_FEED:File-a4af22b3-0609-af97-be9f-ed547b6e45fe">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">B322AFA4090697AFBE9FED547B6E45FE</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>B322AFA4090697AFBE9FED547B6E45FE</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-c1e5be66-8ae5-4999-9027-07c8a17401cd">
<cybox:Object id="KTL:URI-f10c3b61-0c75-50ca-b33e-ce33b98969d9">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">library.com/stories/story.php?storyid=5044</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</cybox:Observable_Composition>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-87af2190-30d8-4764-b36f-0db1822c75f2">
<cybox:Description>ZONE="Red" FIRST_SEEN="13.06.2016" LAST_SEEN="13.06.2016" HITS="10" DETECTION_NAME="HEUR:Trojan.Script.Generic"</cybox:Description>
<cybox:Observable_Composition operator="AND">
<cybox:Observable id="KTL:Observable-68fe3ce3-175c-459e-914d-c71a00dc6b5f">
<cybox:Object id="KL_DATA_FEED:File-ed3c0826-7c56-9bba-c814-65f79987a287">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">26083CED567CBA9BC81465F79987A287</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>26083CED567CBA9BC81465F79987A287</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-d6a1f25a-ad83-432c-a288-f06ddbd49671">
<cybox:Object id="KTL:URI-3e1b15a0-f861-5b32-b9e2-50184f7ba39c">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">friendvideos.com</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</cybox:Observable_Composition>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-e88f35fb-39ad-435e-a387-b5a1a76ebad9">
<cybox:Description>ZONE="Red" FIRST_SEEN="06.05.2016" LAST_SEEN="06.05.2016" HITS="10" DETECTION_NAME="HEUR:Trojan.Script.Generic"</cybox:Description>
<cybox:Observable_Composition operator="AND">
<cybox:Observable id="KTL:Observable-9bc51e97-5a63-4f6b-85f0-8d48aaa37c9a">
<cybox:Object id="KL_DATA_FEED:File-27f0c8b9-9c11-2639-049e-bec9d97f866b">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">B9C8F027119C3926049EBEC9D97F866B</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>B9C8F027119C3926049EBEC9D97F866B</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-0f26d5f3-ddc6-4a06-a1b2-059f35ee29b2">
<cybox:Object id="KTL:URI-5f2f3931-ba38-5620-a558-84e60affd07f">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">friendvideos.com/members/d/drakedcx/383.php</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</cybox:Observable_Composition>
</cybox:Observable>
</indicator:Related_Observable>
</indicator:Related_Observables>
</stix:Indicator>
<stix:Indicator id="KTL:indicator-99ca4aed-8a43-5c90-b7b6-7c94cd7c5d76">
<indicator:Title>Hosted URLs</indicator:Title>
<indicator:Related_Observables>
<cybox:Observable id="KTL:Observable-b744e29b-7844-54d9-9fb0-e7f916de8fc1">
<cybox:Description>ZONE="Red" FIRST_SEEN="21.01.2015" LAST_SEEN="09.11.2016" HITS="1000"</cybox:Description>
<cybox:Object id="KTL:URI-fe05b502-32ea-5c87-88fa-82df8c15919b">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">b.com/favicon.ico</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-8527213c-f799-5b76-952d-5f37a83685a2">
<cybox:Description>ZONE="Red" FIRST_SEEN="15.11.2015" LAST_SEEN="03.10.2016" HITS="1000"</cybox:Description>
<cybox:Object id="KTL:URI-aecd587d-42e4-5e52-bf36-174433163d4f">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">where.com/favicon.ico</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-7f385b2b-38d9-5dbb-aec7-a5f2eed402f3">
<cybox:Description>ZONE="Red" FIRST_SEEN="21.06.2016" LAST_SEEN="29.08.2016" HITS="1000"</cybox:Description>
<cybox:Object id="KTL:URI-39370ec3-8cb0-587c-931c-49d5eb68d792">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">pz.net/favicon.ico</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-8e03aa7d-e8ac-58cf-b712-18d151a69321">
<cybox:Description>ZONE="Red" FIRST_SEEN="20.01.2015" LAST_SEEN="25.12.2015" HITS="1000"</cybox:Description>
<cybox:Object id="KTL:URI-cd3e149e-b0d8-5fe3-9631-2aa05c9e9e2f">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">site.net/ncd/afterclick/arr0.png</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observables>
</stix:Indicator>
</stix:Indicators>
<stix:TTPs>
<stix:TTP xsi:type="ttp:TTPType" id="KTL:ttp-13e84c8f-b85e-4d41-9cd8-e5106003041c" timestamp="2016-11-09T09:37Z">
<ttp:Title>LOOKUP_IP</ttp:Title>
<ttp:Resources>
<ttp:Infrastructure>
<ttp:Observable_Characterization cybox_major_version="2" cybox_minor_version="1">
<cybox:Observable idref="KTL:observable-b87283c7-fa74-4c25-aac9-d19abbe72871" />
</ttp:Observable_Characterization>
</ttp:Infrastructure>
</ttp:Resources>
</stix:TTP>
</stix:TTPs>
</stix:STIX_Package>
STIX for a domain
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may return for the domain ddns.net in STIX format.
Data and ratings are updated dynamically. The data displayed in this example may differ from the data for the same object requested at a later time.
DOMAIN_852808bf99be59a2902e089e26d5976a_stix.xml
<stix:STIX_Package xmlns:KTL="http://ktl.kaspersky.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:stix="http://stix.mitre.org/stix-1" xmlns:stixCommon="http://stix.mitre.org/common-1" xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2" xmlns:URIObj="http://cybox.mitre.org/objects#URIObject-2" xmlns:cybox="http://cybox.mitre.org/cybox-2" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:indicator="http://stix.mitre.org/Indicator-2" xmlns:ttp="http://stix.mitre.org/TTP-1" xmlns:WhoisObj="http://cybox.mitre.org/objects#WhoisObject-2" xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2" id="KL_Botnet_Tracking:Package-6e1181fb-1c59-4214-8991-891deab614c7" version="1.2">
<stix:STIX_Header>
<stix:Title>DOMAIN LOOKUP</stix:Title>
<stix:Description>Information about lookup domain ddns.net</stix:Description>
</stix:STIX_Header>
<stix:Observables cybox_major_version="1" cybox_minor_version="1">
<cybox:Observable id="KTL:Observable-3c7c15a7-1ca9-436f-bdb6-27c8330e5c9a">
<cybox:Description>ZONE="Green" IP_COUNT="2" FILES_COUNT="0" URLS_COUNT="10" HITS="100"</cybox:Description>
<cybox:Object id="KTL:object-0aa5bd9c-6eef-5f5c-8507-cb05b334af83">
<cybox:Properties xsi:type="WhoisObj:WhoisObjectType">
<WhoisObj:Whois_Entry>
<WhoisObj:Contact_Info>
<WhoisObj:Name>TLDS LLC. d/b/a SRSPlus</WhoisObj:Name>
<WhoisObj:Organization>Vitalwerks Internet Solutions, LLC</WhoisObj:Organization>
</WhoisObj:Contact_Info>
<WhoisObj:Creation_Date>28.06.2001</WhoisObj:Creation_Date>
<WhoisObj:Expiration_Date>28.06.2019</WhoisObj:Expiration_Date>
<WhoisObj:Domain_Name>
<URIObj:URI>
<URIObj:Value condition="Equals">ddns.net</URIObj:Value>
</URIObj:URI>
</WhoisObj:Domain_Name>
</WhoisObj:Whois_Entry>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</stix:Observables>
<stix:Indicators>
<stix:Indicator id="KTL:indicator-ab2e6385-ee49-54f7-8f92-62a520d660e0">
<indicator:Title>Domain resolved to following IP addresses</indicator:Title>
<stixCommon:TTP idref="KTL:ttp-ad122867-4c82-490c-ae86-89b53af55510" xsi:type="ttp:TTPType" />
<indicator:Related_Observables>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-99f60c73-87e7-48fd-be82-9f09be246205">
<cybox:Description>ZONE="Grey" HITS="10" FIRST_SEEN="14.12.2014" LAST_SEEN="14.12.2014" PEAK_DATE="14.12.2014" PEAK_HITS="10"</cybox:Description>
<cybox:Object id="KTL:object-cfcf62ca-6194-5916-becb-024a6cd5db18">
<cybox:Properties xsi:type="AddressObj:AddressObjectType">
<AddressObj:Address category="ipv4-addr">
<AddressObj:Address_Value>213.128.81.34</AddressObj:Address_Value>
</AddressObj:Address>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-cd672eb1-d6ae-4d88-80ef-c4125d476bfd">
<cybox:Description>ZONE="Green" THREAT_SCORE="0" HITS="1000" FIRST_SEEN="31.10.2014" LAST_SEEN="07.11.2016" PEAK_DATE="09.08.2016" PEAK_HITS="10"</cybox:Description>
<cybox:Object id="KTL:object-e2d0d2bb-cbd9-5bf7-ad07-7de1c4d9e366">
<cybox:Properties xsi:type="AddressObj:AddressObjectType">
<AddressObj:Address category="ipv4-addr">
<AddressObj:Address_Value>8.23.224.108</AddressObj:Address_Value>
</AddressObj:Address>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
</indicator:Related_Observables>
</stix:Indicator>
<stix:Indicator id="KTL:indicator-b8e4f05e-64d3-5e7e-94e9-17727f70c8ca">
<indicator:Title>Subdomains</indicator:Title>
<stixCommon:TTP idref="KTL:ttp-ad122867-4c82-490c-ae86-89b53af55510" xsi:type="ttp:TTPType" />
<indicator:Related_Observables>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-db0b0742-a6c9-4a89-aea8-f7f0f8925c98">
<cybox:Description>ZONE="Red" URLS_COUNT="100" FIRST_SEEN="20.10.2016" FILES_COUNT="0"</cybox:Description>
<cybox:Object id="KTL:URI-5cb36308-3dfe-5e09-a476-781a5ae87b1d">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">bainoirtee-seg20101.ddns.net</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-da25ee22-fa34-4ca7-9723-2483e4342ebd">
<cybox:Description>ZONE="Red" URLS_COUNT="10" FIRST_SEEN="02.11.2016" FILES_COUNT="10"</cybox:Description>
<cybox:Object id="KTL:URI-cfa49da7-950c-55f5-938a-98758abf38da">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">090005.ddns.net</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-737325c2-da64-4d0b-b1e9-570581cdbd49">
<cybox:Description>ZONE="Red" URLS_COUNT="10" FIRST_SEEN="23.10.2016" FILES_COUNT="10"</cybox:Description>
<cybox:Object id="KTL:URI-bafc3854-cef2-537f-b8bb-82d21d1a1198">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">q1w2e3.ddns.net</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-42f79cc9-1ba1-4e9e-9abe-1d9027759351">
<cybox:Description>ZONE="Red" URLS_COUNT="10" FIRST_SEEN="14.10.2016" FILES_COUNT="10"</cybox:Description>
<cybox:Object id="KTL:URI-0ca6250b-8f28-556e-8382-f569cd34ff9e">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">bannding123.ddns.net</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
</indicator:Related_Observables>
</stix:Indicator>
</stix:Indicators>
<stix:TTPs>
<stix:TTP xsi:type="ttp:TTPType" id="KTL:ttp-ad122867-4c82-490c-ae86-89b53af55510" timestamp="2016-11-08T02:02Z">
<ttp:Title>LOOKUP_DOMAIN</ttp:Title>
<ttp:Resources>
<ttp:Infrastructure>
<ttp:Observable_Characterization cybox_major_version="2" cybox_minor_version="1">
<cybox:Observable idref="KTL:observable-3c7c15a7-1ca9-436f-bdb6-27c8330e5c9a" />
</ttp:Observable_Characterization>
</ttp:Infrastructure>
</ttp:Resources>
</stix:TTP>
</stix:TTPs>
</stix:STIX_Package>
STIX for a web address
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may return for the web address go.spaceshipads.com-afu.php-zone in STIX format.
Data and ratings are updated dynamically. The data displayed in this example may differ from the data for the same object requested at a later time.
URL_20c056bbd30c5b41be005abd49506015_stix(for DOMAIN).xml
<stix:STIX_Package xmlns:KTL="http://ktl.kaspersky.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:stix="http://stix.mitre.org/stix-1" xmlns:stixCommon="http://stix.mitre.org/common-1" xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2" xmlns:URIObj="http://cybox.mitre.org/objects#URIObject-2" xmlns:cybox="http://cybox.mitre.org/cybox-2" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:indicator="http://stix.mitre.org/Indicator-2" xmlns:ttp="http://stix.mitre.org/TTP-1" xmlns:WhoisObj="http://cybox.mitre.org/objects#WhoisObject-2" xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2" id="KL_Botnet_Tracking:Package-8a62b7d2-1b5c-484f-a5aa-920fb79a5325" version="1.2">
<stix:STIX_Header>
<stix:Title>URL LOOKUP</stix:Title>
<stix:Description>Information about lookup URL go.spaceshipads.com/afu.php?zoneid=361258</stix:Description>
</stix:STIX_Header>
<stix:Observables cybox_major_version="1" cybox_minor_version="1">
<cybox:Observable id="KTL:observable-bbfb2c01-51eb-4a7b-a136-2d8016fc3ede">
<cybox:Description>ZONE="Red" IP_COUNT="76" FILES_COUNT="1000000" CATEGORY="URLREP_CATEGORY_INFORMATION_TECHNOLOGIES,URLREP_CATEGORY_MALWARE"</cybox:Description>
<cybox:Object id="KTL:URI-20c056bb-d30c-5b41-be00-5abd49506015">
<cybox:Propertis xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">go.spaceshipads.com/afu.php?zoneid=361258</URIObj:Value>
</cybox:Propertis>
</cybox:Object>
</cybox:Observable>
</stix:Observables>
<stix:Indicator id="KTL:indicator-e720f4b7-9610-5cda-93a4-112d101095b9">
<indicator:Title>URL Domain</indicator:Title>
<stixCommon:TTP idref="KTL:ttp-0de541b7-55f1-4be0-8a40-2fc1ba7d3d74" xsi:type="ttp:TTPType" />
<indicator:Observable id="KL_Botnet_Tracking:Observable-ad3ae2fb-cc62-4363-aa10-5fcfd18d5dd1">
<cybox:Object id="KL_Botnet_Tracking:object-3e8c815b-1de2-4c6c-9008-189598762c84">
<cybox:Object id="KTL:object-35bc71a1-eca7-5718-ab86-f5e0814328c5">
<cybox:Properties xsi:type="WhoisObj:WhoisObjectType">
<WhoisObj:Whois_Entry>
<WhoisObj:Contact_Info>
<WhoisObj:Name>URL SOLUTIONS INC.</WhoisObj:Name>
<WhoisObj:Organization>GLOBAL DOMAIN PRIVACY SERVICES INC</WhoisObj:Organization>
</WhoisObj:Contact_Info>
<WhoisObj:Creation_Date>15.06.2015</WhoisObj:Creation_Date>
<WhoisObj:Expiration_Date>15.06.2018</WhoisObj:Expiration_Date>
<WhoisObj:Domain_Name>
<URIObj:URI>
<URIObj:Value condition="Equals">spaceshipads.com</URIObj:Value>
</URIObj:URI>
</WhoisObj:Domain_Name>
</WhoisObj:Whois_Entry>
</cybox:Properties>
</cybox:Object>
</cybox:Object>
</indicator:Observable>
</stix:Indicator>
<stix:Indicators>
<stix:Indicator id="KTL:indicator-1001967c-3c3a-5b59-bc29-90be69890460">
<indicator:Title>Domain resolved to following IP addresses</indicator:Title>
<stixCommon:TTP idref="KTL:ttp-0de541b7-55f1-4be0-8a40-2fc1ba7d3d74" xsi:type="ttp:TTPType" />
<indicator:Related_Observables>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-0ed26085-264f-43df-bc37-1d0852a536da">
<cybox:Description>ZONE="Grey" THREAT_SCORE="63" HITS="1000" FIRST_SEEN="26.02.2016" LAST_SEEN="11.03.2016" PEAK_DATE="27.02.2016" PEAK_HITS="1000"</cybox:Description>
<cybox:Object id="KTL:object-3cbf69fc-b1cb-54be-938f-3459b6aab54d">
<cybox:Properties xsi:type="AddressObj:AddressObjectType">
<AddressObj:Address category="ipv4-addr">
<AddressObj:Address_Value>54.72.9.115</AddressObj:Address_Value>
</AddressObj:Address>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-1a745079-3141-4948-9d97-6ab5fe0416d5">
<cybox:Description>ZONE="Grey" THREAT_SCORE="25" HITS="10" FIRST_SEEN="01.07.2016" LAST_SEEN="01.07.2016" PEAK_DATE="01.07.2016" PEAK_HITS="10"</cybox:Description>
<cybox:Object id="KTL:object-0d996609-bd51-5c4e-9cbc-80bc44e31b48">
<cybox:Properties xsi:type="AddressObj:AddressObjectType">
<AddressObj:Address category="ipv4-addr">
<AddressObj:Address_Value>144.76.152.140</AddressObj:Address_Value>
</AddressObj:Address>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-711dad25-31d2-4320-b6c3-cffe5b4c85c7">
<cybox:Description>ZONE="Grey" HITS="10" FIRST_SEEN="08.10.2016" LAST_SEEN="08.10.2016" PEAK_DATE="08.10.2016" PEAK_HITS="10"</cybox:Description>
<cybox:Object id="KTL:object-d0c6a41c-64aa-51a2-9366-7cf184704f74">
<cybox:Properties xsi:type="AddressObj:AddressObjectType">
<AddressObj:Address category="ipv4-addr">
<AddressObj:Address_Value>154.51.128.11</AddressObj:Address_Value>
</AddressObj:Address>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-bf37ea8f-c0e9-4227-a35b-9d52e65654f6">
<cybox:Description>ZONE="Grey" HITS="10" FIRST_SEEN="01.10.2016" LAST_SEEN="01.10.2016" PEAK_DATE="01.10.2016" PEAK_HITS="10"</cybox:Description>
<cybox:Object id="KTL:object-7a43f1a3-1471-5b0e-ba87-2b9ecd8263d9">
<cybox:Properties xsi:type="AddressObj:AddressObjectType">
<AddressObj:Address category="ipv4-addr">
<AddressObj:Address_Value>100.96.5.89</AddressObj:Address_Value>
</AddressObj:Address>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
</indicator:Related_Observables>
</stix:Indicator>
<stix:Indicator id="KTL:indicator-31b1a20e-676a-579b-b85f-61a7d4900f64">
<indicator:Title>Files accessed requested URL</indicator:Title>
<stixCommon:TTP idref="KTL:ttp-0de541b7-55f1-4be0-8a40-2fc1ba7d3d74" xsi:type="ttp:TTPType" />
<indicator:Related_Observables>
<indicator:Related_Observable id="KTL:Observable-ac71a189-70aa-4044-afd4-c1d13ecb71f9">
<cybox:Observable id="KTL:Observable-c42b8190-50fc-4e08-88d1-84b32c27695e">
<cybox:Description>ZONE="Red" FIRST_DOWNLOADED="11.02.2016" HITS="1000000"
DETECTION_NAME="UDS:DangerousObject.Multi.Generic,PDM:P2P-Worm.Win32.Generic,BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.Generic,
BSS:Exploit.Win32.Generic,BSS:Exploit.Win32.Generic,BSS:Worm.Win32.BSS.ScreenLock,BSS:Trojan.Win32.Generic,BSS:Exploit.Win32.Generic,
BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.Generic,Trojan.Win32.Agentb.bqvi,not-a-virus:BSS:RiskTool.Win32.DelShad.ra,
not-a-virus:AdWare.Win32.ELEX.nl,not-a-virus:HEUR:AdWare.Win32.ELEX.gen"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-90f566ee-b34f-14fb-ac3e-bd6a12713d35">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">EE66F5904FB3FB14AC3EBD6A12713D35</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>EE66F5904FB3FB14AC3EBD6A12713D35</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-b64a56bc-b0a9-4a98-af9b-5688aa36de85">
<cybox:Observable id="KTL:Observable-0826daed-0589-4d54-bf3e-1adff389167e">
<cybox:Description>ZONE="Red" FIRST_DOWNLOADED="12.10.2016" HITS="1000000"
DETECTION_NAME="PDM:Trojan.Win32.Generic,BSS:Trojan.Win32.Generic,Virus.Win32.Sality.aa,PDM:Trojan.Win32.DNSChanger,
not-a-virus:PDM:Monitor.Win32.KeyLogger,PDM:Trojan.Win32.DebugBehaviour,PDM:Trojan.Win32.Injecter.a,PDM:Trojan.Win32.Injecter.b,
PDM:Trojan.Win32.RootShell,PDM:Trojan-Spy.Win32.Generic.a,PDM:Rootkit.Win32.Generic.a,PDM:Rootkit.Win32.Generic.c,PDM:Rootkit.Win32.Generic.e,
PDM:P2P-Worm.Win32.Generic,BSS:Trojan.Win32.StartPage.a,BSS:Exploit.Java.Generic,BSS:Trojan.Win32.Badur.a,BSS:Trojan.Win32.Badur.a,
BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.StartPage.a,not-a-virus:BSS:Downloader.Win32.LMN.a,BSS:Worm.Win32.BSS.ScreenLock,
BSS:Trojan.Win32.Generic,BSS:Exploit.Win32.Generic,BSS:Trojan.Win32.Generic"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-0b29df1b-5c27-deef-6f45-0b5476c4e215">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">1BDF290B275CEFDE6F450B5476C4E215</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>1BDF290B275CEFDE6F450B5476C4E215</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-7115f561-a3b6-48c1-9e86-469e6873c5e8">
<cybox:Observable id="KTL:Observable-003159ab-cbec-46d2-9bc9-36cac150c8bb">
<cybox:Description>ZONE="Red" FIRST_DOWNLOADED="15.10.2016" HITS="100000" DETECTION_NAME="UDS:DangerousObject.Multi.Generic,
BSS:Trojan.Win32.Badur.a,BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.Truebadur.a,
HEUR:Exploit.Script.Blocker.U,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9b"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-4fd0bc0d-ee07-1a21-80d5-14b8ae64be81">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">0DBCD04F07EE211A80D514B8AE64BE81</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>0DBCD04F07EE211A80D514B8AE64BE81</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-cdebc1df-6270-4c0f-8627-79ff0c67cf3c">
<cybox:Observable id="KTL:Observable-58ebaf5c-09e0-483c-998f-10fe9941085f">
<cybox:Description>ZONE="Red" FIRST_DOWNLOADED="10.10.2016" HITS="100000" DETECTION_NAME="UDS:DangerousObject.Multi.Generic,
BSS:Trojan.Win32.Badur.a,BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.Generic,BSS:Exploit.Win32.Generic,BSS:Exploit.Win32.Generic,
BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.Generic,BSS:Exploit.Win32.Generic,BSS:Exploit.Win32.Generic,BSS:Trojan.Win32.Generic,
BSS:Trojan.Win32.Generic,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9b"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-ebb74f37-2048-f09c-da7d-4e355c9eeeff">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">374FB7EB48209CF0DA7D4E355C9EEEFF</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>374FB7EB48209CF0DA7D4E355C9EEEFF</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-2afbca9f-eb7c-4dcb-9419-bd0bd905a5bc">
<cybox:Observable id="KTL:Observable-d3dc6d4c-7a29-40d0-9688-9c1ab8563a70">
<cybox:Description>ZONE="Red" FIRST_DOWNLOADED="14.10.2016" HITS="10000" DETECTION_NAME="UDS:DangerousObject.Multi.Generic,BSS:Trojan.Win32.Badur.a,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9a,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9b"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-800c55a7-7cd9-3aef-b0d4-4bbd403e35a4">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">A7550C80D97CEF3AB0D44BBD403E35A4</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>A7550C80D97CEF3AB0D44BBD403E35A4</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
</indicator:Related_Observables>
</stix:Indicator>
<stix:Indicator id="KTL:indicator-9a09259d-82d2-58f0-baee-df5e2cd50ba2">
<indicator:Title>Referrals to requested URL</indicator:Title>
<stixCommon:TTP idref="KTL:ttp-0de541b7-55f1-4be0-8a40-2fc1ba7d3d74" xsi:type="ttp:TTPType" />
<indicator:Related_Observables>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-648662bd-7022-4267-990b-188d963e4488">
<cybox:Description>ZONE="Red" LAST_REFERENCE="08.11.2016"</cybox:Description>
<cybox:Object id="KTL:URI-1bb757ba-f948-5ca0-a915-54b9b5a1d06e">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">go.spaceshipads.com/afu.php</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-68ee76c9-8bd0-4d78-8da1-ed6125b3ec19">
<cybox:Description>ZONE="Green" LAST_REFERENCE="08.11.2016"</cybox:Description>
<cybox:Object id="KTL:URI-58b814fb-ee6b-5759-b666-c403323727b7">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">yxo.warmportrait.com</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-3d7808b5-a50c-4858-8261-0deee7578fb3">
<cybox:Description>ZONE="Green" LAST_REFERENCE="08.11.2016"</cybox:Description>
<cybox:Object id="KTL:URI-07e0e95a-aae3-51b4-b8e6-9c8769a6f7f1">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">yxo.warmportrait.com/sd/dw32.html</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-05441720-72be-494c-bd37-1952e4e22cc8">
<cybox:Description>ZONE="Green" LAST_REFERENCE="08.11.2016"</cybox:Description>
<cybox:Object id="KTL:URI-07e0e95a-aae3-51b4-b8e6-9c8769a6f7f1">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">yxo.warmportrait.com/sd/dw32.html</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
</indicator:Related_Observables>
</stix:Indicator>
</stix:Indicators>
<stix:TTPs>
<stix:TTP xsi:type="ttp:TTPType" id="KTL:ttp-0de541b7-55f1-4be0-8a40-2fc1ba7d3d74" timestamp="2016-11-08T02:06Z">
<ttp:Title>LOOKUP_URL</ttp:Title>
<ttp:Resources>
<ttp:Infrastructure>
<ttp:Observable_Characterization cybox_major_version="2" cybox_minor_version="1">
<cybox:Observable idref="KTL:observable-bbfb2c01-51eb-4a7b-a136-2d8016fc3ede" />
</ttp:Observable_Characterization>
</ttp:Infrastructure>
</ttp:Resources>
</stix:TTP>
</stix:TTPs>
</stix:STIX_Package>
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may return for the web address 54.171.124.134/upd/updsetup.exe in STIX format.
Data and ratings are updated dynamically. The data displayed in this example may differ from the data for the same object requested at a later time.
URL_23483e60e81b5005a84eff5ed7e1cf20_stix (for IP address).xml
<stix:STIX_Package xmlns:KTL="http://ktl.kaspersky.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:stix="http://stix.mitre.org/stix-1" xmlns:stixCommon="http://stix.mitre.org/common-1" xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2" xmlns:URIObj="http://cybox.mitre.org/objects#URIObject-2" xmlns:cybox="http://cybox.mitre.org/cybox-2" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:indicator="http://stix.mitre.org/Indicator-2" xmlns:ttp="http://stix.mitre.org/TTP-1" xmlns:WhoisObj="http://cybox.mitre.org/objects#WhoisObject-2" xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2" id="KL_Botnet_Tracking:Package-3886bf16-16f8-4074-8702-a12ddd22a0bc" version="1.2">
<stix:STIX_Header>
<stix:Title>URL LOOKUP</stix:Title>
<stix:Description>Information about lookup URL 54.171.124.134/upd/updsetup.exe</stix:Description>
</stix:STIX_Header>
<stix:Observables cybox_major_version="1" cybox_minor_version="1">
<cybox:Observable id="KTL:observable-4fe4c43c-abd9-4fec-9180-b2032c5d19d8">
<cybox:Description>ZONE="Red" IP_COUNT="0" FILES_COUNT="10000" CATEGORY="URLREP_CATEGORY_MALWARE"</cybox:Description>
<cybox:Object id="KTL:URI-23483e60-e81b-5005-a84e-ff5ed7e1cf20">
<cybox:Propertis xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">54.171.124.134/upd/updsetup.exe</URIObj:Value>
</cybox:Propertis>
</cybox:Object>
</cybox:Observable>
</stix:Observables>
<stix:Indicators>
<stix:Indicator id="KTL:indicator-7d9e431a-9aac-52d3-b028-535ae7c4e4f7">
<indicator:Title>Files accessed requested URL</indicator:Title>
<indicator:Related_Observables>
<indicator:Related_Observable id="KTL:Observable-4b35df16-26a4-483f-8dd8-d5692156394e">
<cybox:Observable id="KTL:Observable-a9e94e2b-0599-4002-b882-3d960cfb8a25">
<cybox:Description>ZONE="Yellow" FIRST_DOWNLOADED="24.08.2016" HITS="1000000" DETECTION_NAME="Virus.Win32.Hidrag.a,BSS:Trojan.Win32.Generic,BSS:Worm.Win32.BSS.ScreenLock,BSS:Exploit.Win32.Generic,not-a-virus:Downloader.Win32.Agent.cugr,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b5,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b8,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b7,not-a-virus:BSS:AdWare.NSIS.ConvertAd.ba,not-a-virus:BSS:AdWare.Win32.ICLoader.b3,not-a-virus:BSS:Downloader.Win32.InstallMonster.ra2,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9a"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-59b35d49-14d6-f011-6882-11c8dd473cb7">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">495DB359D61411F0688211C8DD473CB7</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>495DB359D61411F0688211C8DD473CB7</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-359cce98-2311-425f-a97b-b9175865e690">
<cybox:Observable id="KTL:Observable-d9430bbe-7389-4c28-a4e0-057f1cf72def">
<cybox:Description>ZONE="Yellow" FIRST_DOWNLOADED="23.08.2016" HITS="100000" DETECTION_NAME="PDM:P2P-Worm.Win32.Generic,BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.Generic,not-a-virus:AdWare.Win32.AdAgent.uf,not-a-virus:AdWare.Win32.AdAgent.uh"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-ec71fb57-e676-e2d6-c10a-8a0635834b72">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">57FB71EC76E6D6E2C10A8A0635834B72</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>57FB71EC76E6D6E2C10A8A0635834B72</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-29f13be7-7dfd-4126-bbde-6aa024cc6400">
<cybox:Observable id="KTL:Observable-5d5b0a68-2d20-43e6-ae20-b1568a9051f9">
<cybox:Description>ZONE="Yellow" FIRST_DOWNLOADED="23.08.2016" HITS="10000" DETECTION_NAME="HEUR:Trojan.Win32.Generic,not-a-virus:AdWare.Win32.Agent.kahx"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-005e8396-f063-75be-d767-dced1f57d7f8">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">96835E0063F0BE75D767DCED1F57D7F8</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>96835E0063F0BE75D767DCED1F57D7F8</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-da1bcef3-9edf-4acc-9b30-2fc176387f63">
<cybox:Observable id="KTL:Observable-6bf06cd3-c0a9-4355-8b33-9239f5e138cf">
<cybox:Description>ZONE="Yellow" FIRST_DOWNLOADED="26.08.2016" HITS="10000" DETECTION_NAME="not-a-virus:HEUR:AdWare.Win32.AdAgent.gen,not-a-virus:AdWare.Win32.AdAgent.kl"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-15495167-e580-0168-485b-56a2fc48dc3b">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">6751491580E56801485B56A2FC48DC3B</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>6751491580E56801485B56A2FC48DC3B</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-7cc29634-e9dd-4dd1-a134-2864ebe67b59">
<cybox:Observable id="KTL:Observable-198c83b7-4908-47d2-a0f8-81c98d94443a">
<cybox:Description>ZONE="Grey" FIRST_DOWNLOADED="23.08.2016" HITS="10000000" DETECTION_NAME="not-a-virus:BSS:AdWare.Win32.Eorezo.a,BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.Generic,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b5,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b7,not-a-virus:BSS:AdWare.Win32.ICLoader.b3,BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.Generic,not-a-virus:BSS:Downloader.Win32.AdLoad.aca,not-a-virus:BSS:Downloader.Win32.InstallMonster.ra2,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9a,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9b"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-aa00338d-3725-0d5d-f724-979b28f33b27">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">8D3300AA25375D0DF724979B28F33B27</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>8D3300AA25375D0DF724979B28F33B27</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-d2182bef-931f-462f-828b-5a48b88562b1">
<cybox:Observable id="KTL:Observable-867c8a98-cfc8-4eb2-9c42-4f117bef50d9">
<cybox:Description>ZONE="Grey" FIRST_DOWNLOADED="23.08.2016" HITS="1000000" DETECTION_NAME="BSS:Exploit.Win32.Generic,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b3,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b5,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b7,not-a-virus:BSS:AdWare.Win32.ICLoader.b3,not-a-virus:BSS:Downloader.Win32.AdLoad.aca,not-a-virus:BSS:Downloader.Win32.InstallMonster.ra2,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9a,BSS:Trojan.Win32.Generic,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9b"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-572f5e15-75c9-1b34-6250-490c14d1123b">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">155E2F57C975341B6250490C14D1123B</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>155E2F57C975341B6250490C14D1123B</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-468ebf7a-58a5-4ee9-9084-b425ed4482b7">
<cybox:Observable id="KTL:Observable-6287549f-b9c8-4734-81e9-cd3694a1eefa">
<cybox:Description>ZONE="Grey" FIRST_DOWNLOADED="26.08.2016" HITS="100000" DETECTION_NAME="not-a-virus:BSS:AdWare.NSIS.ConvertAd.b5,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b7,not-a-virus:BSS:AdWare.Win32.ICLoader.b3,not-a-virus:BSS:Downloader.Win32.InstallMonster.ra2,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9a,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9b"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-a4782fba-136c-b0b6-c0a1-2f3fa3d19d16">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">BA2F78A46C13B6B0C0A12F3FA3D19D16</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>BA2F78A46C13B6B0C0A12F3FA3D19D16</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-b19bfad2-aeb9-4e94-9a3e-b26fd4c36f75">
<cybox:Observable id="KTL:Observable-af75dbf5-a6f5-4710-af26-bd0528d81a4f">
<cybox:Description>ZONE="Grey" FIRST_DOWNLOADED="24.08.2016" HITS="100000" DETECTION_NAME="BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.Generic,BSS:Worm.Win32.BSS.ScreenLock,not-a-virus:BSS:AdWare.Win32.Eorezo.a,BSS:Trojan.Win32.Generic,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b5,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b7,not-a-virus:BSS:AdWare.Win32.ICLoader.b3,not-a-virus:BSS:Downloader.Win32.InstallMonster.ra2,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9a,not-a-virus:BSS:AdWare.Win32.Eorezo.a,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9b"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-d72c320c-4009-d90c-4ac2-b47621a7875f">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">0C322CD709400CD94AC2B47621A7875F</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>0C322CD709400CD94AC2B47621A7875F</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-c822a844-821b-48a3-b536-97d392567d66">
<cybox:Observable id="KTL:Observable-10c0a8c7-5736-42f8-bbb1-4ecf80600ed4">
<cybox:Description>ZONE="Grey" FIRST_DOWNLOADED="28.08.2016" HITS="100000" DETECTION_NAME="BSS:Trojan.Win32.Badur.a,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b5,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b8,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b7,not-a-virus:BSS:AdWare.NSIS.ConvertAd.ba,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9a,not-a-virus:BSS:AdWare.Win32.StartSurf.ra,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9b,not-a-virus:BSS:AdWare.NSIS.ConvertAd.bcb"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-7a6c58a8-febf-1af9-3eb5-1d803110bcbc">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">A8586C7ABFFEF91A3EB51D803110BCBC</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>A8586C7ABFFEF91A3EB51D803110BCBC</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-7460bd5e-5104-40bc-9b6d-1f50829f979f">
<cybox:Observable id="KTL:Observable-bee3d112-b3a5-46aa-9006-adfe7584127d">
<cybox:Description>ZONE="Grey" FIRST_DOWNLOADED="23.08.2016" HITS="10000"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-d8fd37cd-45cd-760d-5299-75d445745e19">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">CD37FDD8CD450D76529975D445745E19</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>CD37FDD8CD450D76529975D445745E19</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-6b824a8f-b75f-4e3f-a09c-51ad0705103a">
<cybox:Observable id="KTL:Observable-68fc8939-7787-461f-8fe3-fa325978ee6f">
<cybox:Description>ZONE="Grey" FIRST_DOWNLOADED="04.09.2016" HITS="10000" DETECTION_NAME="BSS:Trojan.Win32.Generic,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b5,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b7"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-667ca90e-c1ea-f80d-f18d-276f9522531a">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">0EA97C66EAC10DF8F18D276F9522531A</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>0EA97C66EAC10DF8F18D276F9522531A</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-cc5fedfb-de14-4e9a-b977-0e61c32691de">
<cybox:Observable id="KTL:Observable-7dad2738-420a-460d-a1f0-66482bc1635f">
<cybox:Description>ZONE="Grey" FIRST_DOWNLOADED="23.08.2016" HITS="1000" DETECTION_NAME="PDM:P2P-Worm.Win32.Generic,HEUR:Trojan.Win32.Generic"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-8e2ae83e-456c-87c6-2f46-87b132338dae">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">3EE82A8E6C45C6872F4687B132338DAE</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>3EE82A8E6C45C6872F4687B132338DAE</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-098210b0-f2cf-4bbf-b9c7-b660ffcfe017">
<cybox:Observable id="KTL:Observable-cbffd93e-1eee-448c-9c79-94e05bd63cdc">
<cybox:Description>ZONE="Grey" FIRST_DOWNLOADED="23.08.2016" HITS="10"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-4d968e9d-8e1f-8f3a-16a1-52cfe51d77b0">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">9D8E964D1F8E3A8F16A152CFE51D77B0</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>9D8E964D1F8E3A8F16A152CFE51D77B0</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-ed7b6d29-6b17-4c2b-83e5-e4ce50045f37">
<cybox:Observable id="KTL:Observable-fd030e22-ed21-490b-9c84-2ef40a3fad33">
<cybox:Description>ZONE="Green" FIRST_DOWNLOADED="24.08.2016" HITS="1000000" DETECTION_NAME="not-a-virus:BSS:AdWare.NSIS.ConvertAd.b5,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b7,not-a-virus:BSS:AdWare.Win32.ICLoader.b3,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9a"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-9ca08599-d12a-ac57-d295-254e86b605ff">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">9985A09C2AD157ACD295254E86B605FF</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>9985A09C2AD157ACD295254E86B605FF</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-577147a3-9aca-4aea-8c33-d7d40bcdcb06">
<cybox:Observable id="KTL:Observable-9d8f7b12-966b-4925-88ff-c2afb38e929f">
<cybox:Description>ZONE="Green" FIRST_DOWNLOADED="24.08.2016" HITS="1000000" DETECTION_NAME="PDM:Trojan.Win32.DNSChanger,
PDM:Trojan.Win32.Injecter.b,PDM:Trojan.Win32.RootShell,PDM:Rootkit.Win32.Generic.c,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b5,
not-a-virus:BSS:AdWare.NSIS.ConvertAd.b7,not-a-virus:BSS:AdWare.Win32.ICLoader.b3,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9a"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-eb24b3b7-ed46-22cf-08b7-6f3983061d67">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">B7B324EB46EDCF2208B76F3983061D67</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>B7B324EB46EDCF2208B76F3983061D67</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-1bbb18ad-d64d-4eff-8284-3738b8457c76">
<cybox:Observable id="KTL:Observable-6bc8a16f-d3f0-4de9-84c1-c29c096223f4">
<cybox:Description>ZONE="Green" FIRST_DOWNLOADED="24.08.2016" HITS="1000000" DETECTION_NAME="PDM:Trojan.Win32.DNSChanger,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b5,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b7,not-a-virus:BSS:AdWare.Win32.ICLoader.b3,BSS:Trojan.Win32.Generic,not-a-virus:BSS:Downloader.Win32.InstallMonster.ra2,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9a,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9b"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-8c1a1edd-a33b-dfe7-6871-e98a79f057a0">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">DD1E1A8C3BA3E7DF6871E98A79F057A0</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>DD1E1A8C3BA3E7DF6871E98A79F057A0</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-36623afe-48a5-4aa8-9d9a-a6b9fe2c3a88">
<cybox:Observable id="KTL:Observable-07e6ae8a-d557-4506-aa29-fb53a71f4a8f">
<cybox:Description>ZONE="Green" FIRST_DOWNLOADED="23.08.2016" HITS="100000" DETECTION_NAME="BSS:Trojan.Win32.Badur.a,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9a"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-0dd5827d-3abc-cefd-f583-8a36b3296f86">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">7D82D50DBC3AFDCEF5838A36B3296F86</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>7D82D50DBC3AFDCEF5838A36B3296F86</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-f6925341-d8a5-462d-89ef-36b63af1d2b9">
<cybox:Observable id="KTL:Observable-23e0f9b8-58d3-4d28-99c8-a2a9704c5382">
<cybox:Description>ZONE="Green" FIRST_DOWNLOADED="27.08.2016" HITS="100000" DETECTION_NAME="not-a-virus:AdWare.Win32.Agent.kakt,not-a-virus:HEUR:AdWare.Win32.Agent.gen"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-a95fd20a-8baf-613c-a165-fe70bf4426de">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">0AD25FA9AF8B3C61A165FE70BF4426DE</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>0AD25FA9AF8B3C61A165FE70BF4426DE</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-a17c39d4-302d-4dee-9fcb-15a04294f609">
<cybox:Observable id="KTL:Observable-fe83b1d0-e21b-4e1d-901c-928db82f3681">
<cybox:Description>ZONE="Green" FIRST_DOWNLOADED="24.08.2016" HITS="100000" DETECTION_NAME="not-a-virus:BSS:AdWare.NSIS.ConvertAd.b5,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b7,not-a-virus:BSS:AdWare.Win32.ICLoader.b3,not-a-virus:BSS:Downloader.Win32.InstallMonster.ra2,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9a"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-d2096bd0-f01e-c65a-dd1c-56b67de2fc93">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">D06B09D21EF05AC6DD1C56B67DE2FC93</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>D06B09D21EF05AC6DD1C56B67DE2FC93</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-fb96d6c4-73d0-45fb-99b4-a7ca0b4690e0">
<cybox:Observable id="KTL:Observable-82be8d2c-f05a-4f94-bb6c-a89591ee3fc4">
<cybox:Description>ZONE="Green" FIRST_DOWNLOADED="24.08.2016" HITS="10000" DETECTION_NAME="PDM:Trojan.Win32.DNSChanger,not-a-virus:PDM:Monitor.Win32.KeyLogger,PDM:Trojan.Win32.Injecter.b"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-a7159f5b-e28f-3a52-b48c-14990e1e44ad">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">5B9F15A78FE2523AB48C14990E1E44AD</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>5B9F15A78FE2523AB48C14990E1E44AD</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-8ebc7d62-c264-4886-971e-16f4bcbc851f">
<cybox:Observable id="KTL:Observable-c9e14335-fba4-450f-929f-f2441275516e">
<cybox:Description>ZONE="Green" FIRST_DOWNLOADED="26.08.2016" HITS="10000" DETECTION_NAME="not-a-virus:BSS:AdWare.NSIS.ConvertAd.b5,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b7"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-cbcfc725-3a3a-947d-ba7e-b66d894b9844">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">25C7CFCB3A3A7D94BA7EB66D894B9844</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>25C7CFCB3A3A7D94BA7EB66D894B9844</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-154d2048-5eda-4989-b2e6-270dd88f455c">
<cybox:Observable id="KTL:Observable-d9178382-1707-4428-98ea-f8947f8d4fc1">
<cybox:Description>ZONE="Green" FIRST_DOWNLOADED="24.08.2016" HITS="10000" DETECTION_NAME="not-a-virus:BSS:Downloader.Win32.InstallMonster.ra2,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9a"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-defe3a59-464e-47d5-ab08-4d6be7cf93d0">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">593AFEDE4E46D547AB084D6BE7CF93D0</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>593AFEDE4E46D547AB084D6BE7CF93D0</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-fb43141b-4557-4d03-ba16-5b4198bafba9">
<cybox:Observable id="KTL:Observable-d12ec472-6241-48ff-8a48-f6d40fb6c16e">
<cybox:Description>ZONE="Green" FIRST_DOWNLOADED="27.08.2016" HITS="1000"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-683ba45b-3d21-d104-9914-4dac9d4049ed">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">5BA43B68213D04D199144DAC9D4049ED</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>5BA43B68213D04D199144DAC9D4049ED</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
</indicator:Related_Observables>
</stix:Indicator>
<stix:Indicator id="KTL:indicator-911eec09-e42e-5094-b8ee-de1fa90f2067">
<indicator:Title>Files related to requested URL</indicator:Title>
<indicator:Related_Observables>
<indicator:Related_Observable id="KTL:Observable-e1b31a68-43e6-4ace-ae32-7e5ee569d680">
<cybox:Observable id="KTL:Observable-13280701-1f74-4b8e-aeca-887e7c73f750">
<cybox:Description>ZONE="Red" FIRST_DOWNLOADED="25.08.2016" LAST_DOWNLOADED="25.08.2016" HITS="1000" DETECTION_NAME="UDS:DangerousObject.Multi.Generic,PDM:P2P-Worm.Win32.Generic,BSS:Trojan.Win32.Badur.a,BSS:Trojan.Win32.Truebadur.a,HEUR:Exploit.Script.Blocker.U"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-25f13129-8116-daa3-f181-e7353ea64438">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">2931F1251681A3DAF181E7353EA64438</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>2931F1251681A3DAF181E7353EA64438</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-a5eb9018-762a-4fbe-8e9b-abbcd261b45f">
<cybox:Observable id="KTL:Observable-73351931-768e-493c-a859-dc17017d1f26">
<cybox:Description>ZONE="Red" FIRST_DOWNLOADED="24.08.2016" LAST_DOWNLOADED="24.08.2016" HITS="1000" DETECTION_NAME="UDS:DangerousObject.Multi.Generic,PDM:P2P-Worm.Win32.Generic,BSS:Trojan.Win32.Badur.a,Trojan.MSIL.Agent.folj"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-81f6f963-3fc1-b870-19aa-b24154c0d3cb">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">63F9F681C13F70B819AAB24154C0D3CB</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>63F9F681C13F70B819AAB24154C0D3CB</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-6197beac-f080-4463-b9da-cc54d2a907a4">
<cybox:Observable id="KTL:Observable-1074ba72-1fd9-474b-bce9-06a5b2c8bc3c">
<cybox:Description>ZONE="Red" FIRST_DOWNLOADED="23.08.2016" LAST_DOWNLOADED="23.08.2016" HITS="1000" DETECTION_NAME="UDS:DangerousObject.Multi.Generic,PDM:P2P-Worm.Win32.Generic,BSS:Trojan.Win32.Badur.a,BSS:Trojan.Win32.Truebadur.a,not-a-virus:BSS:Downloader.Win32.LMN.ra,Trojan.MSIL.Agent.folj"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-5bac6da0-d584-8423-a5ef-42241131b1aa">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">A06DAC5B84D52384A5EF42241131B1AA</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>A06DAC5B84D52384A5EF42241131B1AA</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable id="KTL:Observable-b9b6e0f4-1c3f-4ad3-a2d1-4709e6823bbc">
<cybox:Observable id="KTL:Observable-ec65d96e-4df7-4bbd-ba5d-362a365e6645">
<cybox:Description>ZONE="Red" FIRST_DOWNLOADED="23.08.2016" LAST_DOWNLOADED="23.08.2016" HITS="1000" DETECTION_NAME="UDS:DangerousObject.Multi.Generic,BSS:Trojan.Win32.Badur.a,not-a-virus:BSS:Downloader.Win32.LMN.ra,not-a-virus:BSS:AdWare.Win32.ICLoader.gen"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-2c03762b-65d9-e6e7-29c9-6902655a9130">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">2B76032CD965E7E629C96902655A9130</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>2B76032CD965E7E629C96902655A9130</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
</indicator:Related_Observables>
</stix:Indicator>
<stix:Indicator id="KTL:indicator-96535a34-b604-5c99-8b71-018058fd2798">
<indicator:Title>Referrals to requested URL</indicator:Title>
<indicator:Related_Observables>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-c1d867c2-43d3-43e6-975f-a1d3e321017a">
<cybox:Description>ZONE="Red" LAST_REFERENCE="23.08.2016"</cybox:Description>
<cybox:Object id="KTL:URI-23483e60-e81b-5005-a84e-ff5ed7e1cf20">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">54.171.124.134/upd/updsetup.exe</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-9c158bdf-dfb7-4129-827a-bd33c2d96734">
<cybox:Description>ZONE="Green" LAST_REFERENCE="26.08.2016"</cybox:Description>
<cybox:Object id="KTL:URI-32451edd-6264-509c-b873-4119a110d6e2">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">vahtajob.net/board/vakansii_vakhtoj_na_severe/6-7</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
</indicator:Related_Observables>
</stix:Indicator>
<stix:Indicator id="KTL:indicator-efc2bed0-022a-51e0-9b91-39e28ce7949e">
<indicator:Title>Requested object linked, forwarded, or redirected to following URLs</indicator:Title>
<indicator:Related_Observables>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-c9359828-4d04-4ccd-961a-3f7f5b41c98e">
<cybox:Description>ZONE="Red" LAST_REFERENCE="23.08.2016"</cybox:Description>
<cybox:Object id="KTL:URI-23483e60-e81b-5005-a84e-ff5ed7e1cf20">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">54.171.124.134/upd/updsetup.exe</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
</indicator:Related_Observables>
</stix:Indicator>
</stix:Indicators>
<stix:TTPs>
<stix:TTP xsi:type="ttp:TTPType" id="KTL:ttp-62a1c115-6189-4abb-8164-a2f0321a4d59" timestamp="2016-11-09T04:39Z">
<ttp:Title>LOOKUP_URL</ttp:Title>
<ttp:Resources>
<ttp:Infrastructure>
<ttp:Observable_Characterization cybox_major_version="2" cybox_minor_version="1">
<cybox:Observable idref="KTL:observable-4fe4c43c-abd9-4fec-9180-b2032c5d19d8" />
</ttp:Observable_Characterization>
</ttp:Infrastructure>
</ttp:Resources>
</stix:TTP>
</stix:TTPs>
</stix:STIX_Package>