{"report_id":"a935e514-3a10-420f-a37f-145f30fcc430","version":6,"status":"done","tags":[],"date":"2025-05-11T10:30:41Z","url":{"schema":"http","addr":"72.144.231.7/d/msdownload/update/software/defu/2025/05/am_delta_patch_1.427.733.0_d462f66489b71eb53d35b482f9f9874844aad88e.exe?cacheHostOrigin=2.au.download.windowsupdate.com","fqdn":"72.144.231.7","domain":"72.144.231.7","tld":""},"ip":{"addr":"72.144.231.7","port":0,"asn":8075,"as":"MICROSOFT-CORP-MSN-AS-BLOCK","country":"Germany","country_code":"DE"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2027-07-20T10:30:41Z","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"72.144.231.7","ip":{"addr":"72.144.231.7","port":80,"asn":8075,"as":"MICROSOFT-CORP-MSN-AS-BLOCK","country":"Germany","country_code":"DE"},"domain_registered":"unknown","domain_rank":0,"first_seen":"No data","last_seen":"No data","alert_count":6,"request_count":2,"received_data":387165,"sent_data":1200,"comment":"","tags":null,"fingerprints":null}],"files":[{"md5":"470a824c59a034177ba44aff33422a0a","sha1":"d462f66489b71eb53d35b482f9f9874844aad88e","sha256":"ba87a7bc800b36b397b5ec317612ff7876d38fd5b6547ac8be6acafada1095e5","sha512":"c84364d035e71957f58d639f7acad2019623ea2eaadb1fb2e0484cc3294793fa861b93e8b417eb40eb5f78fca6c31a39a55fd7d82918de08e4f644349b572c03","magic":"PE32+ executable (GUI) x86-64, for MS Windows, 6 sections","size":386672,"url":{"schema":"http","addr":"72.144.231.7/d/msdownload/update/software/defu/2025/05/am_delta_patch_1.427.733.0_d462f66489b71eb53d35b482f9f9874844aad88e.exe?cacheHostOrigin=2.au.download.windowsupdate.com","fqdn":"72.144.231.7","domain":"72.144.231.7","tld":""},"ip":{"addr":"72.144.231.7","port":80,"asn":8075,"as":"MICROSOFT-CORP-MSN-AS-BLOCK","country":"Germany","country_code":"DE"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-11","alert":"files - file ~tmp01925d3f.exe","trigger":"72.144.231.7/d/msdownload/update/software/defu/2025/05/am_delta_patch_1.427.733.0_d462f66489b71eb53d35b482f9f9874844aad88e.exe?cacheHostOrigin=2.au.download.windowsupdate.com","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"The DFIR Report","date":"2021-02-22","description":"files - file ~tmp01925d3f.exe","hash1":"10ff83629d727df428af1f57c524e1eaddeefd608c5a317a5bfc13e2df87fb63","reference":"https://thedfirreport.com","rule":"cobalt_strike_tmp01925d3f","score":"80","yarahub_license":"CC0 1.0","yarahub_reference_md5":"1c6ba04dc9808084846ac1005deb9c85","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"58ae3b15-154e-47e9-a24c-c8b885a4cd55"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-11","alert":"meth_stackstrings","trigger":"72.144.231.7/d/msdownload/update/software/defu/2025/05/am_delta_patch_1.427.733.0_d462f66489b71eb53d35b482f9f9874844aad88e.exe?cacheHostOrigin=2.au.download.windowsupdate.com","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_stackstrings","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"00000000000000000000000000000000","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"71fe67dc-8cb3-4b1f-8eb8-7b2e0933e0b4"}}]}}],"artifacts":{"windows_shortcuts":null,"files":[{"md5":"470a824c59a034177ba44aff33422a0a","sha1":"d462f66489b71eb53d35b482f9f9874844aad88e","sha256":"ba87a7bc800b36b397b5ec317612ff7876d38fd5b6547ac8be6acafada1095e5","sha512":"c84364d035e71957f58d639f7acad2019623ea2eaadb1fb2e0484cc3294793fa861b93e8b417eb40eb5f78fca6c31a39a55fd7d82918de08e4f644349b572c03","magic":"PE32+ executable (GUI) x86-64, for MS Windows, 6 sections","size":386672,"url":{"schema":"http","addr":"72.144.231.7/d/msdownload/update/software/defu/2025/05/am_delta_patch_1.427.733.0_d462f66489b71eb53d35b482f9f9874844aad88e.exe?cacheHostOrigin=2.au.download.windowsupdate.com","fqdn":"72.144.231.7","domain":"72.144.231.7","tld":""},"ip":{"addr":"72.144.231.7","port":80,"asn":8075,"as":"MICROSOFT-CORP-MSN-AS-BLOCK","country":"Germany","country_code":"DE"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-11","alert":"files - file ~tmp01925d3f.exe","trigger":"72.144.231.7/d/msdownload/update/software/defu/2025/05/am_delta_patch_1.427.733.0_d462f66489b71eb53d35b482f9f9874844aad88e.exe?cacheHostOrigin=2.au.download.windowsupdate.com","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"The DFIR Report","date":"2021-02-22","description":"files - file ~tmp01925d3f.exe","hash1":"10ff83629d727df428af1f57c524e1eaddeefd608c5a317a5bfc13e2df87fb63","reference":"https://thedfirreport.com","rule":"cobalt_strike_tmp01925d3f","score":"80","yarahub_license":"CC0 1.0","yarahub_reference_md5":"1c6ba04dc9808084846ac1005deb9c85","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"58ae3b15-154e-47e9-a24c-c8b885a4cd55"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-11","alert":"meth_stackstrings","trigger":"72.144.231.7/d/msdownload/update/software/defu/2025/05/am_delta_patch_1.427.733.0_d462f66489b71eb53d35b482f9f9874844aad88e.exe?cacheHostOrigin=2.au.download.windowsupdate.com","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_stackstrings","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"00000000000000000000000000000000","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"71fe67dc-8cb3-4b1f-8eb8-7b2e0933e0b4"}}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"","description":"","date":"2025-05-11T10:30:22Z","timestamp":1746959422,"ip_dst":{"addr":"172.18.0.26","port":41776,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"72.144.231.7","port":80,"asn":8075,"as":"MICROSOFT-CORP-MSN-AS-BLOCK","country":"Germany","country_code":"DE"},"severity":"medium","alert":"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response","source":"{\"timestamp\":\"2025-05-11T10:30:22.467470+0000\",\"flow_id\":1756721017122075,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"72.144.231.7\",\"src_port\":80,\"dest_ip\":\"172.18.0.26\",\"dest_port\":41776,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.INFO.WindowsUpdate\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2021076,\"rev\":2,\"signature\":\"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"confidence\":[\"Medium\"],\"created_at\":[\"2015_05_08\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2019_07_26\"]}},\"http\":{\"hostname\":\"72.144.231.7\",\"url\":\"/d/msdownload/update/software/defu/2025/05/am_delta_patch_1.427.733.0_d462f66489b71eb53d35b482f9f9874844aad88e.exe?cacheHostOrigin=2.au.download.windowsupdate.com\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":42947},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":21,\"pkts_toclient\":34,\"bytes_toserver\":1952,\"bytes_toclient\":47140,\"start\":\"2025-05-11T10:30:09.453915+0000\"}}"}]}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-11","alert":"files - file ~tmp01925d3f.exe","trigger":"72.144.231.7/d/msdownload/update/software/defu/2025/05/am_delta_patch_1.427.733.0_d462f66489b71eb53d35b482f9f9874844aad88e.exe?cacheHostOrigin=2.au.download.windowsupdate.com","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"The DFIR Report","date":"2021-02-22","description":"files - file ~tmp01925d3f.exe","hash1":"10ff83629d727df428af1f57c524e1eaddeefd608c5a317a5bfc13e2df87fb63","reference":"https://thedfirreport.com","rule":"cobalt_strike_tmp01925d3f","score":"80","yarahub_license":"CC0 1.0","yarahub_reference_md5":"1c6ba04dc9808084846ac1005deb9c85","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"58ae3b15-154e-47e9-a24c-c8b885a4cd55"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-11","alert":"meth_stackstrings","trigger":"72.144.231.7/d/msdownload/update/software/defu/2025/05/am_delta_patch_1.427.733.0_d462f66489b71eb53d35b482f9f9874844aad88e.exe?cacheHostOrigin=2.au.download.windowsupdate.com","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_stackstrings","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"00000000000000000000000000000000","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"71fe67dc-8cb3-4b1f-8eb8-7b2e0933e0b4"}}]},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2025-05-11","alert":"Sinkholed","trigger":"72.144.231.7","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2025-05-11","alert":"Sinkholed","trigger":"72.144.231.7","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}]},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"http","addr":"72.144.231.7/d/msdownload/update/software/defu/2025/05/am_delta_patch_1.427.733.0_d462f66489b71eb53d35b482f9f9874844aad88e.exe?cacheHostOrigin=2.au.download.windowsupdate.com","fqdn":"72.144.231.7","domain":"72.144.231.7","tld":""},"ip":{"addr":"72.144.231.7","port":80,"asn":8075,"as":"MICROSOFT-CORP-MSN-AS-BLOCK","country":"Germany","country_code":"DE"},"is_navigation_request":true,"resource_type":"","requested_by":"","date":"2025-05-11T10:30:09.454Z","timestamp":0,"http_version":"","security_state":"insecure","security_info":null,"request":{"raw":"GET /d/msdownload/update/software/defu/2025/05/am_delta_patch_1.427.733.0_d462f66489b71eb53d35b482f9f9874844aad88e.exe?cacheHostOrigin=2.au.download.windowsupdate.com HTTP/1.1\r\nHost: 72.144.231.7\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Sun, 11 May 2025 10:30:22 GMT\r\nContent-Type: application/octet-stream\r\nContent-Length: 386672\r\nConnection: keep-alive\r\nCache-Control: public,max-age=172800\r\nLast-Modified: Sun, 11 May 2025 06:24:51 GMT\r\nX-CID: 10004\r\nX-CCC: c13de246-eae9-4556-8355-dbffb011c98f\r\nContent-Security-Policy: default-src 'self' http: https: data: blob: 'unsafe-inline'\r\nX-XSS-Protection: 1; mode=block\r\nX-Frame-Options: SAMEORIGIN\r\nX-Cache-Status: HIT\r\nAccept-Ranges: bytes\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":386672,"size_decoded":0,"mime_type":"application/octet-stream","magic":"PE32+ executable (GUI) x86-64, for MS Windows, 6 sections","md5":"470a824c59a034177ba44aff33422a0a","sha1":"d462f66489b71eb53d35b482f9f9874844aad88e","sha256":"ba87a7bc800b36b397b5ec317612ff7876d38fd5b6547ac8be6acafada1095e5","sha512":"c84364d035e71957f58d639f7acad2019623ea2eaadb1fb2e0484cc3294793fa861b93e8b417eb40eb5f78fca6c31a39a55fd7d82918de08e4f644349b572c03","ssdeep":"6144:+rCFuGeF7SsncR9klvkRS6E/9+9ECQIMR5Tr6Ud9FoGlSs1:ukIFuus9klvkRSPKQIO6UrSXs1","tlshash":"5884c055bb950cf9ed67c23dc9929606eab27c060721d79f03a042ab1f237b19d3eb11","first_seen":"2025-05-11T10:30:46.007006Z","last_seen":"2025-05-11T11:18:55.352639Z","times_seen":2,"resource_available":false,"data":null}},"time_used":13135,"timings":{"blocked":28,"dns":0,"connect":28,"send":0,"wait":12933,"receive":146,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2025-05-11T10:30:22Z","timestamp":1746959422,"ip_dst":{"addr":"172.18.0.26","port":41776,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"72.144.231.7","port":80,"asn":8075,"as":"MICROSOFT-CORP-MSN-AS-BLOCK","country":"Germany","country_code":"DE"},"severity":"medium","alert":"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response","source":"{\"timestamp\":\"2025-05-11T10:30:22.467470+0000\",\"flow_id\":1756721017122075,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"72.144.231.7\",\"src_port\":80,\"dest_ip\":\"172.18.0.26\",\"dest_port\":41776,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.INFO.WindowsUpdate\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2021076,\"rev\":2,\"signature\":\"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"confidence\":[\"Medium\"],\"created_at\":[\"2015_05_08\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2019_07_26\"]}},\"http\":{\"hostname\":\"72.144.231.7\",\"url\":\"/d/msdownload/update/software/defu/2025/05/am_delta_patch_1.427.733.0_d462f66489b71eb53d35b482f9f9874844aad88e.exe?cacheHostOrigin=2.au.download.windowsupdate.com\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":42947},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":21,\"pkts_toclient\":34,\"bytes_toserver\":1952,\"bytes_toclient\":47140,\"start\":\"2025-05-11T10:30:09.453915+0000\"}}"}],"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-11","alert":"files - file ~tmp01925d3f.exe","trigger":"72.144.231.7/d/msdownload/update/software/defu/2025/05/am_delta_patch_1.427.733.0_d462f66489b71eb53d35b482f9f9874844aad88e.exe?cacheHostOrigin=2.au.download.windowsupdate.com","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"The DFIR Report","date":"2021-02-22","description":"files - file ~tmp01925d3f.exe","hash1":"10ff83629d727df428af1f57c524e1eaddeefd608c5a317a5bfc13e2df87fb63","reference":"https://thedfirreport.com","rule":"cobalt_strike_tmp01925d3f","score":"80","yarahub_license":"CC0 1.0","yarahub_reference_md5":"1c6ba04dc9808084846ac1005deb9c85","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"58ae3b15-154e-47e9-a24c-c8b885a4cd55"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-11","alert":"meth_stackstrings","trigger":"72.144.231.7/d/msdownload/update/software/defu/2025/05/am_delta_patch_1.427.733.0_d462f66489b71eb53d35b482f9f9874844aad88e.exe?cacheHostOrigin=2.au.download.windowsupdate.com","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_stackstrings","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"00000000000000000000000000000000","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"71fe67dc-8cb3-4b1f-8eb8-7b2e0933e0b4"}},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2025-05-11","alert":"Sinkholed","trigger":"72.144.231.7","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":null}},{"url":{"schema":"https","addr":"72.144.231.7/d/msdownload/update/software/defu/2025/05/am_delta_patch_1.427.733.0_d462f66489b71eb53d35b482f9f9874844aad88e.exe?cacheHostOrigin=2.au.download.windowsupdate.com","fqdn":"72.144.231.7","domain":"72.144.231.7","tld":""},"ip":{"addr":"0.0.0.0","port":0,"asn":0,"as":"","country":"","country_code":"zz"},"is_navigation_request":true,"resource_type":"","requested_by":"","date":"2025-05-11T10:30:09.396Z","timestamp":0,"http_version":"","security_state":"insecure","security_info":null,"request":{"raw":"GET /d/msdownload/update/software/defu/2025/05/am_delta_patch_1.427.733.0_d462f66489b71eb53d35b482f9f9874844aad88e.exe?cacheHostOrigin=2.au.download.windowsupdate.com HTTP/1.1\r\nHost: 72.144.231.7\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET","post_data":{"size":3800,"data":"52d009960f3121727dadd21a8365f1c1e3cc845b952e52634a51d959f038d097=EsMDO3mo9W8AOFSvk8y_wyWyuLvyLnaIeWg6bPL43IA-1746959379-1.2.1.1-XqmErcmxKCpn15fwYA51mMjB3sLmXMnb_a4bJQyo9UJWDYnfdAPKoZWYMwlw_GiA_AcM6M5R1fGrsvuUgMf6rGRBOhQuc5EaCJymqO3WEz4SdOq1qsFB5tQ.27MubSyOB6F51u2vmxilWGr0yyC8JRBDhhSk_Vh8tGRFDD4C7M9aOoMwnIEOZe85HQ0WAjlVVjNTv9fV9AieWYb4eAV3Fe3UfyAich4fXrtLkvhHKPgKLdF10A.kTIVuYFbuGTOaeJtbrDiQtgSdzWJrUbdgk5yYMPQlKB17X3IQjV479bIPoH1_5GYt3Fcw_en.5_fpKtSCAk0yrwLLsDM9nOf1Dll7rzwzJXO1TJ_YxodtGl.AOeCozAy8t9x6pNxMk.LhV.TcfdOWdwbWrY58uwURrbySYtsWqjbOHVsRajgSJ8q67Rhi6_ir6hUwvHq5jcJhLE6JzvaPx9DJC74TmaP_u2irUHqLcQ3nCbP0EIVZYw_Ox0stJ_jycYotwMxvhkSi9bYNPA1y2zcIr5ULpOi2dyBKxBw4yJCqDuM8wWMJiohcJ0CRqa26a0kuDPuKqn70lgZvJ3gYvTiZcDlpreQSAiykuZoNjLdILMGAj4GWkkmhRpfi7_cN987PvGbXvkYonb_Q3ZYqlkzZ720GA.cSMRhnWIY7Wsls3K9WKUJZX5X5B_Wo8N00d2BaAde57IZE7lM5BAirfoTbEAKS6dL3iPxZz9ejZepTkr6j11q4.5ZUTQslGReFtEC6fbumqW9oeh0LJaOmIZKc8IhDoxSdzvCCkGu_JOr6wCe.b4EnGJtoIXzRURgr3.8cMyre_Lmal1lgOgz7Xq3MLlYk_.xKcmi2VCuc2b_PyaIbGblvfWbG3p08IZ.E4xBJZT4T29k3ADE4KmwjuYRWmUXxwkb7JgdOp0EWLJR5q4fWEIAGu5yRhnXSb4Xp.DZl96sfxLd0CA8_XrEdfoiVVDYYas.dSGQU6TzfHQJGZfunLVoHALqpaKsQX68hnVvsqmvPHwsZxJhk.cLsrXjaLyrTui_t74naVCGl_oYBEznAHD4pMBM\u0026549dfe0439f4dd8ebf30fcb4e875ebba850dd1e0e55b7ca0abf6f60333cc07a6=x8WcnOv2BSxiExGq3ttEZK3JLv4WfUUey33ZtynmGbo-1746959379-1.2.1.1-M9COVYHdzPaE6xc81wyfzT5vaB5xe6.a9RiKLEkeLYJwxTNT.S24Y618IWluaXGu0ZCV2zzacuRbf_HYWqUvsqQ1YT2rxlCzJmkD0y0Y1xzWMhbOsMp_19LSteSB8hTISyyniIVh1KgW2P9dQQ6ul3vRX3gRwpghFT6K5I1WeYitAZsSlCe7qe7Dm15mf3qJhSOyHvyalTJMnxCSCYN.3sz88Y3wkOhz1hN33h.4jfc4gy2MbnhQ3WsvF1U.XroLWdmJs9G8oD9WDGbXhO98cApfH47gXKLJyrcm6DgZVxl0OKprd8rIEjxrPVV_oRnmPZpYnw7qg8ME2l95DxQp3W.BaSQr.ImJZvWxplm0Jx9S0L4pzfIlAlxDBwt0I9ZjPXllkzL0MCF5H14iqz8xOj.AawJYvCW8kR7Nx5pMqP0yqIIkGjXBHwEyMGCCZsuTowuLHluxxDeLiYV4Py5FbKhjoqmkIrENDk.lzi9ZERbYEIP9N0SEE6h1a17c8pIscLtoS5LkKxQnguCX3BgbzEFK8sV0GyJJeVDDMILfPTfydtex1WyMiR1aqvUEKPsWwi.pZLOpswzl941DbfGFONKiprNZbxqAsrFLoKYrpqviUeORsx6Ehoq7iOC0Zcj3VpjceVcQRGbvf9HygUJbcU.FK.NEZqTLoN53_y0yrBvu8x9XV4ozhWYn3wQzAs1yCMZgd1zTwwPC.N61fe8.p9LbtuGnGZKliidr8.a69W_AOeNs_xsoc2ArzjnK4KQdULXVf27EhX12z0f7c1yamKjPd3U1KQXfSb8bSd3m1_1MwBtTRkuaSEjVIoXpvvu5t0G0wxp59Kdyt3_b9uUa1SysB6lrEnC2OfdqfJh_G94wMiBTvNoIzOzCtzhONuz6NFjvJ5AhMnuxOrEkydzcHP6P77EcEi0Y15ViphxkMCUahBL3_NfwjfdNA3leVGsxPw2gLv0KPDu7IPqqzvToKx3sNoTbon1K.GGt9RduzDXw_11TiuRu_yB21aD.SiNDrbS1XYzekwWHWgKnJvZzN6P7LXwch7FT9pEcMISwNnJgtWPG4XJtnZ34hWvAQrj7UdVXTb1g22u_ZouH.AA4UOXum1HeJ7VxywWd1mshpii6UXfZ1ABo_71iCBaKD8gDfy_po6hdzAJfC6_ugHRMi2n.ysnCKm4QswGwrNv0PKUauMQlLft0qLIW0.6Bi_YcIcgSx6y6yLSZYngob90OQOTD9E63qw7ZYdG7X194JZS6O9khefwHIonBFoSZAJTQooUuKV_SFcUHDOQK1AJjIptI0RVNsJCgDdRf4t6.MIyw8X7eZS.f4FhToPGUTcA84D0yk5Rvopo442n9u_fIRSP2Vpl.uqqDXO05LxMM5LQ0DAJ4IsWUh.I5Tpe9vVRb475oZL9PlgjD.jLkFd.TUP6MvO3_160vCqf1PvOhR.TIhb8tBRe1mUkxC.0_wToEc_7BFIHykfwMK4fqYiLqJsFdc6uVQsCjIH1PB5wHnot5RYNfGcfanQ6yKkLioJl7rEr_dv8p2C5o5mW2_T5217DS7.mZURZJUL6CbeA9AXkaV34wf813nQJxRhgKB3ZTWmrNpfa8iEopEZWKO.H9JJTioFW3I0w7NuXMPzocJlQFpmIG8LNyE2VAWcQd.MYi58nsmcljfyiWr1CK0n78sY8DfSohGemu_SpkCa2sk.5Sx4cJ1pUp3SywTzTAkh3mVMsaeNY8vI4EvmVyNzri2S_zKUElODNfFeZ6FIJ7XSY0vLpc9ITQcePhRdVI33t0VKjq66spd4nP9uGQI3fJGzy_PIbZqmLBUiGA7ofTPTNskSHzqIsRcPRi_FDV.DTA7BUXUFeUvAVWSEobjUzEGPIwuR7Ih9RTMvx9PunGTsdGISGoPj7oKPbHcqn5Yu3wUJCffmoNr3FVlTdjGcY0k1AAwtvO606Rhqth1e6yaBl28M5V8b9VSIPsb7aY6aMKIMmoMXO9mflDf2u9eP0PuWB4v0zaWMSTgYH406IFgR__FBahPxz4r8NeZu2binOzIL.ofLNB08eD1FAqtZ47sv1FDyKurUomzXWmbFARtC.E6UDfG8G9k77AdHSozIeupEoKW5GEC9iIPBN7wFTF_mBMk0XQG4j7X7NW7IXcDQo\u0026acc38acd432fea313796723e2277a33519b0ed3e6669a04321f9857005e5ba1f=na4YuLzz4jq3GRK.YxQ0Y6EWN8Ib1VsW2VaxvsNI5.c-1746959390-1.0.1.1-VDquzo9sAmZwdVfNCwseWDdFuYdD.FI_uIKDwC4ZVN0yIA7vGDSzxJqcP19YDd6o6vdDTVrxwNiIEnWsL4IVD91dTa9IA.91Bx.2dbUGhdTiG9gXIFFAo2zB4orP4fBLWJqUjgcizsGN6hDB9jmiQ26ZiTTuMBbeFv.xKta2k2uXRbDjCTX5Y7Wp34F0YR4M"}},"response":{"raw":"","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":0,"size_decoded":0,"mime_type":"","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-06-14T01:33:42.567327Z","times_seen":16400444,"resource_available":true,"data":null}},"time_used":23,"timings":{"blocked":23,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2025-05-11T10:30:22Z","timestamp":1746959422,"ip_dst":{"addr":"172.18.0.26","port":41776,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"72.144.231.7","port":80,"asn":8075,"as":"MICROSOFT-CORP-MSN-AS-BLOCK","country":"Germany","country_code":"DE"},"severity":"medium","alert":"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response","source":"{\"timestamp\":\"2025-05-11T10:30:22.467470+0000\",\"flow_id\":1756721017122075,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"72.144.231.7\",\"src_port\":80,\"dest_ip\":\"172.18.0.26\",\"dest_port\":41776,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.INFO.WindowsUpdate\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2021076,\"rev\":2,\"signature\":\"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"confidence\":[\"Medium\"],\"created_at\":[\"2015_05_08\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2019_07_26\"]}},\"http\":{\"hostname\":\"72.144.231.7\",\"url\":\"/d/msdownload/update/software/defu/2025/05/am_delta_patch_1.427.733.0_d462f66489b71eb53d35b482f9f9874844aad88e.exe?cacheHostOrigin=2.au.download.windowsupdate.com\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":42947},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":21,\"pkts_toclient\":34,\"bytes_toserver\":1952,\"bytes_toclient\":47140,\"start\":\"2025-05-11T10:30:09.453915+0000\"}}"}],"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2025-05-11","alert":"Sinkholed","trigger":"72.144.231.7","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":null}}]}