{"report_id":"4b9a1c54-1fde-4fe2-b4c0-6758be2653c9","version":6,"status":"done","tags":[],"date":"2026-05-05T10:33:30Z","url":{"schema":"http","addr":"77.172.14.72/AV.scr","fqdn":"77.172.14.72","domain":"77.172.14.72","tld":""},"ip":{"addr":"77.172.14.72","port":0,"asn":1136,"as":"KPN B.V.","country":"The Netherlands","country_code":"NL"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing","dom":{"size":3632,"mime_type":"text/html; charset=utf-8","magic":"HTML document, Unicode text, UTF-8 text","md5":"cab12ec2a37b5d71ba2758f532d72275","sha1":"49995912fddd32ee74dd2ff48ba0caa72c71e2e3","sha256":"c00567cb2129bcbadbf0135034bd1270883253f22b3272448bbe1f37fd732108","sha512":"1fd2866b5e25b2d44ef9777d6c88edf7a5db993567250e5e054cabaa79c1e44141b487ef6913a3be6733433604373a9ad4ec6288f1f7ea353b28810f1d3c150a","ssdeep":"","tlshash":"797146a514f1552718a383a5de81bf1b9f826a07cf8d6a403b9f00f22f97d55887f20d","dom_hash":"domhash03f850468cad29251ed949292c202f85","first_seen":"","last_seen":"","times_seen":0,"resource_available":false,"data":null}},"submit":{"url":{"schema":"http","addr":"77.172.14.72/AV.scr","fqdn":"77.172.14.72","domain":"77.172.14.72","tld":""},"ip":{"addr":"77.172.14.72","port":0,"asn":1136,"as":"KPN B.V.","country":"The Netherlands","country_code":"NL"},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2027-06-09T10:33:30Z","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":3,"urlquery":0,"analyzer":2}},"detection":{"ids":[{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2026-05-05T10:33:04Z","timestamp":1777977184,"ip_dst":{"addr":"77.172.14.72","port":80,"asn":1136,"as":"KPN B.V.","country":"The Netherlands","country_code":"NL"},"ip_src":{"addr":"Client IP","port":51438,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET HUNTING HTTP request for resource ending in .scr","source":"{\"timestamp\":\"2026-05-05T10:33:04.348959+0000\",\"flow_id\":1069149553962272,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.17\",\"src_port\":51438,\"dest_ip\":\"77.172.14.72\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018231,\"rev\":7,\"signature\":\"ET HUNTING HTTP request for resource ending in .scr\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"Medium\"],\"created_at\":[\"2014_03_07\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_09_15\"]}},\"http\":{\"hostname\":\"77.172.14.72\",\"url\":\"/AV.scr\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":675,\"bytes_toclient\":431,\"start\":\"2026-05-05T10:33:04.273696+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2026-05-05T10:33:04Z","timestamp":1777977184,"ip_dst":{"addr":"Client IP","port":51438,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"77.172.14.72","port":80,"asn":1136,"as":"KPN B.V.","country":"The Netherlands","country_code":"NL"},"severity":"high","alert":"ET POLICY PE EXE or DLL Windows file download HTTP","source":"{\"timestamp\":\"2026-05-05T10:33:04.521175+0000\",\"flow_id\":1069149553962272,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"77.172.14.72\",\"src_port\":80,\"dest_ip\":\"172.18.0.17\",\"dest_port\":51438,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\",\"ET.Meterpreter.Receiving\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018959,\"rev\":5,\"signature\":\"ET POLICY PE EXE or DLL Windows file download HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"confidence\":[\"High\"],\"created_at\":[\"2014_08_19\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2025_01_16\"]}},\"http\":{\"hostname\":\"77.172.14.72\",\"url\":\"/AV.scr\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":42960},\"files\":[{\"filename\":\"/AV.scr\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":42960,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":25,\"pkts_toclient\":34,\"bytes_toserver\":2061,\"bytes_toclient\":46869,\"start\":\"2026-05-05T10:33:04.273696+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2026-05-05T10:33:04Z","timestamp":1777977184,"ip_dst":{"addr":"Client IP","port":51438,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"77.172.14.72","port":80,"asn":1136,"as":"KPN B.V.","country":"The Netherlands","country_code":"NL"},"severity":"medium","alert":"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response","source":"{\"timestamp\":\"2026-05-05T10:33:04.521175+0000\",\"flow_id\":1069149553962272,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"77.172.14.72\",\"src_port\":80,\"dest_ip\":\"172.18.0.17\",\"dest_port\":51438,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\",\"ET.Meterpreter.Receiving\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2021076,\"rev\":2,\"signature\":\"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"confidence\":[\"Medium\"],\"created_at\":[\"2015_05_08\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2019_07_26\"]}},\"http\":{\"hostname\":\"77.172.14.72\",\"url\":\"/AV.scr\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":42960},\"files\":[{\"filename\":\"/AV.scr\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":42960,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":25,\"pkts_toclient\":34,\"bytes_toserver\":2061,\"bytes_toclient\":46869,\"start\":\"2026-05-05T10:33:04.273696+0000\"}}"}],"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Public YARA rules","description":"Public InfoSec YARA rules","scan_date":"2026-05-05","alert":"Identifies executable converted using PyInstaller.","trigger":"77.172.14.72/AV.scr","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2020-01-01","description":"Identifies executable converted using PyInstaller.","fingerprint":"ae849936b19be3eb491d658026b252c2f72dcb3c07c6bddecb7f72ad74903eee","first_imported":"2021-12-30","id":"6Pyq57uDDAEHbltmbp7xRT","last_modified":"2021-12-30","rule":"PyInstaller","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"clamav","sensor_type":"antivirus","title":"ClamAV","description":"ClamAV","scan_date":"2026-05-05","alert":"Win.Malware.F857af-9782749-0","trigger":"77.172.14.72/AV.scr","verdict":"malicious","severity":"medium","comment":"","link":"https://www.clamav.net/","meta":null}],"urlquery":null},"summary":[{"fqdn":"77.172.14.72","ip":{"addr":"77.172.14.72","port":80,"asn":1136,"as":"KPN B.V.","country":"The Netherlands","country_code":"NL"},"domain_registered":"unknown","domain_rank":0,"first_seen":"No data","last_seen":"No data","alert_count":8,"request_count":2,"received_data":6271489,"sent_data":890,"comment":"","tags":null,"fingerprints":[{"name":"Windows CE","description":"Windows CE is an operating system designed for small footprint devices or embedded systems.","website":"https://microsoft.com","common_platform_enumeration":"","icon":"Microsoft.svg","categories":["Operating systems"]}]}],"files":null,"artifacts":{"windows_shortcuts":null,"files":[{"md5":"be31cca33af2de146e80b41ffda26f3b","sha1":"f126cf6711ba577cc898b47384ef57c1f7949bac","sha256":"74bfdfc31d96fa3553f4a0f2975a1470c5503c2200b1e1a37c59817e1ed1dffe","sha512":"1b9311f36aa34a5ef5e9c43ac794947a4115fe50969eee14b93b5ef6aa5bb5d8b6ad6a9b1e4f617d8ef01fa20d661602b9efdaa049a1163ac6443bc8615f3a06","magic":"PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections","size":6271268,"url":{"schema":"http","addr":"77.172.14.72/AV.scr","fqdn":"77.172.14.72","domain":"77.172.14.72","tld":""},"ip":{"addr":"77.172.14.72","port":80,"asn":1136,"as":"KPN B.V.","country":"The Netherlands","country_code":"NL"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Public YARA rules","description":"Public InfoSec YARA rules","scan_date":"2026-05-05","alert":"Identifies executable converted using PyInstaller.","trigger":"77.172.14.72/AV.scr","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2020-01-01","description":"Identifies executable converted using PyInstaller.","fingerprint":"ae849936b19be3eb491d658026b252c2f72dcb3c07c6bddecb7f72ad74903eee","first_imported":"2021-12-30","id":"6Pyq57uDDAEHbltmbp7xRT","last_modified":"2021-12-30","rule":"PyInstaller","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"clamav","sensor_type":"antivirus","title":"ClamAV","description":"ClamAV","scan_date":"2026-05-05","alert":"Win.Malware.F857af-9782749-0","trigger":"77.172.14.72/AV.scr","verdict":"malicious","severity":"medium","comment":"","link":"https://www.clamav.net/","meta":null}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":null,"analyzer":null,"urlquery":null},"javascript":{"script":null,"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"http","addr":"77.172.14.72/AV.scr","fqdn":"77.172.14.72","domain":"77.172.14.72","tld":""},"ip":{"addr":"77.172.14.72","port":80,"asn":1136,"as":"KPN B.V.","country":"The Netherlands","country_code":"NL"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2026-05-05T10:33:04.274Z","timestamp":0,"http_version":"","security_state":"insecure","security_info":null,"request":{"raw":"GET /AV.scr HTTP/1.1\r\nHost: 77.172.14.72\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.0 200 OK\r\nDate: Tue, 05 May 2026 10:33:05 GMT\r\nConnection: keep-alive\r\nServer: Microsoft-WinCE/6.00\r\nLast-Modified: Sat, 07 Jun 2025 13:50:10 GMT\r\nContent-Type: application/octet-stream\r\nContent-Length: 6271268\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Windows CE","description":"Windows CE is an operating system designed for small footprint devices or embedded systems.","website":"https://microsoft.com","common_platform_enumeration":"","icon":"Microsoft.svg","categories":["Operating systems"]}],"data":{"size":6271268,"size_decoded":0,"mime_type":"application/octet-stream","magic":"PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections","md5":"be31cca33af2de146e80b41ffda26f3b","sha1":"f126cf6711ba577cc898b47384ef57c1f7949bac","sha256":"74bfdfc31d96fa3553f4a0f2975a1470c5503c2200b1e1a37c59817e1ed1dffe","sha512":"1b9311f36aa34a5ef5e9c43ac794947a4115fe50969eee14b93b5ef6aa5bb5d8b6ad6a9b1e4f617d8ef01fa20d661602b9efdaa049a1163ac6443bc8615f3a06","ssdeep":"24576:R3oCTWeZTfxnW9yFdNM+lu8n5bpGLIe1hdp1YdGrksfC3fTIy:R3XTWsTBDNQ2iselXOfTIy","tlshash":"7b251211b5c1c0b2d036243509f5c6b9a97dbd714b2686dba3a83b755f303d1233aaee","first_seen":"2024-11-30T10:16:00.681242Z","last_seen":"2026-05-05T10:33:35.904314Z","times_seen":25,"resource_available":true,"data":null}},"time_used":8072,"timings":{"blocked":27,"dns":0,"connect":27,"send":0,"wait":48,"receive":7969,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2026-05-05T10:33:04Z","timestamp":1777977184,"ip_dst":{"addr":"77.172.14.72","port":80,"asn":1136,"as":"KPN B.V.","country":"The Netherlands","country_code":"NL"},"ip_src":{"addr":"172.18.0.17","port":51438,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET HUNTING HTTP request for resource ending in .scr","source":"{\"timestamp\":\"2026-05-05T10:33:04.348959+0000\",\"flow_id\":1069149553962272,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.17\",\"src_port\":51438,\"dest_ip\":\"77.172.14.72\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018231,\"rev\":7,\"signature\":\"ET HUNTING HTTP request for resource ending in .scr\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"Medium\"],\"created_at\":[\"2014_03_07\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_09_15\"]}},\"http\":{\"hostname\":\"77.172.14.72\",\"url\":\"/AV.scr\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":675,\"bytes_toclient\":431,\"start\":\"2026-05-05T10:33:04.273696+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2026-05-05T10:33:04Z","timestamp":1777977184,"ip_dst":{"addr":"172.18.0.17","port":51438,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"77.172.14.72","port":80,"asn":1136,"as":"KPN B.V.","country":"The Netherlands","country_code":"NL"},"severity":"high","alert":"ET POLICY PE EXE or DLL Windows file download HTTP","source":"{\"timestamp\":\"2026-05-05T10:33:04.521175+0000\",\"flow_id\":1069149553962272,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"77.172.14.72\",\"src_port\":80,\"dest_ip\":\"172.18.0.17\",\"dest_port\":51438,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\",\"ET.Meterpreter.Receiving\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018959,\"rev\":5,\"signature\":\"ET POLICY PE EXE or DLL Windows file download HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"confidence\":[\"High\"],\"created_at\":[\"2014_08_19\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2025_01_16\"]}},\"http\":{\"hostname\":\"77.172.14.72\",\"url\":\"/AV.scr\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":42960},\"files\":[{\"filename\":\"/AV.scr\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":42960,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":25,\"pkts_toclient\":34,\"bytes_toserver\":2061,\"bytes_toclient\":46869,\"start\":\"2026-05-05T10:33:04.273696+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2026-05-05T10:33:04Z","timestamp":1777977184,"ip_dst":{"addr":"172.18.0.17","port":51438,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"77.172.14.72","port":80,"asn":1136,"as":"KPN B.V.","country":"The Netherlands","country_code":"NL"},"severity":"medium","alert":"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response","source":"{\"timestamp\":\"2026-05-05T10:33:04.521175+0000\",\"flow_id\":1069149553962272,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"77.172.14.72\",\"src_port\":80,\"dest_ip\":\"172.18.0.17\",\"dest_port\":51438,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\",\"ET.Meterpreter.Receiving\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2021076,\"rev\":2,\"signature\":\"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"confidence\":[\"Medium\"],\"created_at\":[\"2015_05_08\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2019_07_26\"]}},\"http\":{\"hostname\":\"77.172.14.72\",\"url\":\"/AV.scr\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":42960},\"files\":[{\"filename\":\"/AV.scr\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":42960,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":25,\"pkts_toclient\":34,\"bytes_toserver\":2061,\"bytes_toclient\":46869,\"start\":\"2026-05-05T10:33:04.273696+0000\"}}"}],"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Public YARA rules","description":"Public InfoSec YARA rules","scan_date":"2026-05-05","alert":"Identifies executable converted using PyInstaller.","trigger":"77.172.14.72/AV.scr","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2020-01-01","description":"Identifies executable converted using PyInstaller.","fingerprint":"ae849936b19be3eb491d658026b252c2f72dcb3c07c6bddecb7f72ad74903eee","first_imported":"2021-12-30","id":"6Pyq57uDDAEHbltmbp7xRT","last_modified":"2021-12-30","rule":"PyInstaller","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"clamav","sensor_type":"antivirus","title":"ClamAV","description":"ClamAV","scan_date":"2026-05-05","alert":"Win.Malware.F857af-9782749-0","trigger":"77.172.14.72/AV.scr","verdict":"malicious","severity":"medium","comment":"","link":"https://www.clamav.net/","meta":null}],"urlquery":null}},{"url":{"schema":"https","addr":"77.172.14.72/AV.scr","fqdn":"77.172.14.72","domain":"77.172.14.72","tld":""},"ip":{"addr":"0.0.0.0","port":0,"asn":0,"as":"","country":"","country_code":"zz"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2026-05-05T10:33:04.155Z","timestamp":0,"http_version":"","security_state":"insecure","security_info":null,"request":{"raw":"GET /AV.scr HTTP/1.1\r\nHost: 77.172.14.72\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":0,"size_decoded":0,"mime_type":"","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-05-05T13:09:49.510693Z","times_seen":14689199,"resource_available":true,"data":null}},"time_used":51,"timings":{"blocked":51,"dns":0,"connect":28,"send":0,"wait":0,"receive":0,"ssl":27},"alerts":{"ids":[{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2026-05-05T10:33:04Z","timestamp":1777977184,"ip_dst":{"addr":"77.172.14.72","port":80,"asn":1136,"as":"KPN B.V.","country":"The Netherlands","country_code":"NL"},"ip_src":{"addr":"172.18.0.17","port":51438,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET HUNTING HTTP request for resource ending in .scr","source":"{\"timestamp\":\"2026-05-05T10:33:04.348959+0000\",\"flow_id\":1069149553962272,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.17\",\"src_port\":51438,\"dest_ip\":\"77.172.14.72\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018231,\"rev\":7,\"signature\":\"ET HUNTING HTTP request for resource ending in .scr\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"Medium\"],\"created_at\":[\"2014_03_07\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_09_15\"]}},\"http\":{\"hostname\":\"77.172.14.72\",\"url\":\"/AV.scr\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":675,\"bytes_toclient\":431,\"start\":\"2026-05-05T10:33:04.273696+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2026-05-05T10:33:04Z","timestamp":1777977184,"ip_dst":{"addr":"172.18.0.17","port":51438,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"77.172.14.72","port":80,"asn":1136,"as":"KPN B.V.","country":"The Netherlands","country_code":"NL"},"severity":"high","alert":"ET POLICY PE EXE or DLL Windows file download HTTP","source":"{\"timestamp\":\"2026-05-05T10:33:04.521175+0000\",\"flow_id\":1069149553962272,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"77.172.14.72\",\"src_port\":80,\"dest_ip\":\"172.18.0.17\",\"dest_port\":51438,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\",\"ET.Meterpreter.Receiving\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018959,\"rev\":5,\"signature\":\"ET POLICY PE EXE or DLL Windows file download HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"confidence\":[\"High\"],\"created_at\":[\"2014_08_19\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2025_01_16\"]}},\"http\":{\"hostname\":\"77.172.14.72\",\"url\":\"/AV.scr\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":42960},\"files\":[{\"filename\":\"/AV.scr\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":42960,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":25,\"pkts_toclient\":34,\"bytes_toserver\":2061,\"bytes_toclient\":46869,\"start\":\"2026-05-05T10:33:04.273696+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2026-05-05T10:33:04Z","timestamp":1777977184,"ip_dst":{"addr":"172.18.0.17","port":51438,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"77.172.14.72","port":80,"asn":1136,"as":"KPN B.V.","country":"The Netherlands","country_code":"NL"},"severity":"medium","alert":"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response","source":"{\"timestamp\":\"2026-05-05T10:33:04.521175+0000\",\"flow_id\":1069149553962272,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"77.172.14.72\",\"src_port\":80,\"dest_ip\":\"172.18.0.17\",\"dest_port\":51438,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\",\"ET.Meterpreter.Receiving\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2021076,\"rev\":2,\"signature\":\"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"confidence\":[\"Medium\"],\"created_at\":[\"2015_05_08\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2019_07_26\"]}},\"http\":{\"hostname\":\"77.172.14.72\",\"url\":\"/AV.scr\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":42960},\"files\":[{\"filename\":\"/AV.scr\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":42960,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":25,\"pkts_toclient\":34,\"bytes_toserver\":2061,\"bytes_toclient\":46869,\"start\":\"2026-05-05T10:33:04.273696+0000\"}}"}],"analyzer":null,"urlquery":null}}]}