{"report_id":"d01ab261-f43a-43b3-87ba-b1259bd62883","version":6,"status":"done","tags":[],"date":"2025-01-11T10:11:12Z","url":{"schema":"http","addr":"5.135.52.68/Bin/ScreenConnect.WindowsClient.exe","fqdn":"5.135.52.68","domain":"5.135.52.68","tld":""},"ip":{"addr":"5.135.52.68","port":0,"asn":16276,"as":"OVH SAS","country":"France","country_code":"FR"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"","expires_at":"2027-03-22T10:11:12Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"5.135.52.68","ip":{"addr":"5.135.52.68","port":80,"asn":16276,"as":"OVH SAS","country":"Belgium","country_code":"BE"},"domain_registered":"unknown","domain_rank":0,"first_seen":"No data","last_seen":"No data","alert_count":6,"request_count":1,"received_data":424860,"sent_data":417,"comment":"","tags":null,"fingerprints":null}],"files":[{"md5":"af052871d222261023678c4f2870072a","sha1":"970f98ca8bc85fefc2768bad0554160f06de2ec6","sha256":"7bcee06a3c1e0cc51de7011e3085bb3e1366b39db8fe97562a07db352daf1944","sha512":"93e11c22f8e4694cbce37ca2ab38eddccc8b58fbbad887db026ab138fe2803f30a693013b5d3252b687dd86771fb78133680e1da11c8d37ade9a990de2e8f17b","magic":"PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections","size":424592,"url":{"schema":"http","addr":"5.135.52.68/Bin/ScreenConnect.WindowsClient.exe","fqdn":"5.135.52.68","domain":"5.135.52.68","tld":""},"ip":{"addr":"5.135.52.68","port":80,"asn":16276,"as":"OVH SAS","country":"Belgium","country_code":"BE"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-01-10","alert":"Scan result 5/69","trigger":"7bcee06a3c1e0cc51de7011e3085bb3e1366b39db8fe97562a07db352daf1944","verdict":"suspicious","severity":"","comment":"suspicious - 5/69","link":"https://www.virustotal.com/gui/file/7bcee06a3c1e0cc51de7011e3085bb3e1366b39db8fe97562a07db352daf1944","meta":null}]}}],"artifacts":{"windows_shortcuts":null,"files":[{"md5":"af052871d222261023678c4f2870072a","sha1":"970f98ca8bc85fefc2768bad0554160f06de2ec6","sha256":"7bcee06a3c1e0cc51de7011e3085bb3e1366b39db8fe97562a07db352daf1944","sha512":"93e11c22f8e4694cbce37ca2ab38eddccc8b58fbbad887db026ab138fe2803f30a693013b5d3252b687dd86771fb78133680e1da11c8d37ade9a990de2e8f17b","magic":"PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections","size":424592,"url":{"schema":"http","addr":"5.135.52.68/Bin/ScreenConnect.WindowsClient.exe","fqdn":"5.135.52.68","domain":"5.135.52.68","tld":""},"ip":{"addr":"5.135.52.68","port":80,"asn":16276,"as":"OVH SAS","country":"Belgium","country_code":"BE"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-01-10","alert":"Scan result 5/69","trigger":"7bcee06a3c1e0cc51de7011e3085bb3e1366b39db8fe97562a07db352daf1944","verdict":"suspicious","severity":"","comment":"suspicious - 5/69","link":"https://www.virustotal.com/gui/file/7bcee06a3c1e0cc51de7011e3085bb3e1366b39db8fe97562a07db352daf1944","meta":null}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"","description":"","date":"2025-01-11T10:10:47Z","timestamp":1736590247,"ip_dst":{"addr":"5.135.52.68","port":80,"asn":16276,"as":"OVH SAS","country":"Belgium","country_code":"BE"},"ip_src":{"addr":"172.18.0.13","port":47668,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO Executable Download from dotted-quad Host","source":"{\"timestamp\":\"2025-01-11T10:10:47.808847+0000\",\"flow_id\":1987958960250330,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.13\",\"src_port\":47668,\"dest_ip\":\"5.135.52.68\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2016141,\"rev\":9,\"signature\":\"ET INFO Executable Download from dotted-quad Host\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2013_01_03\"],\"deployment\":[\"Perimeter\"],\"performance_impact\":[\"Significant\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2024_04_09\"]}},\"http\":{\"hostname\":\"5.135.52.68\",\"url\":\"/Bin/ScreenConnect.WindowsClient.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1178},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":7,\"bytes_toserver\":691,\"bytes_toclient\":7710,\"start\":\"2025-01-11T10:10:47.744922+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2025-01-11T10:10:47Z","timestamp":1736590247,"ip_dst":{"addr":"172.18.0.13","port":47668,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"5.135.52.68","port":80,"asn":16276,"as":"OVH SAS","country":"Belgium","country_code":"BE"},"severity":"high","alert":"ET POLICY PE EXE or DLL Windows file download HTTP","source":"{\"timestamp\":\"2025-01-11T10:10:47.870632+0000\",\"flow_id\":1987958960250330,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"5.135.52.68\",\"src_port\":80,\"dest_ip\":\"172.18.0.13\",\"dest_port\":47668,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018959,\"rev\":4,\"signature\":\"ET POLICY PE EXE or DLL Windows file download HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"confidence\":[\"High\"],\"created_at\":[\"2014_08_19\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"5.135.52.68\",\"url\":\"/Bin/ScreenConnect.WindowsClient.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":43170},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":20,\"pkts_toclient\":33,\"bytes_toserver\":1747,\"bytes_toclient\":47074,\"start\":\"2025-01-11T10:10:47.744922+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2025-01-11T10:10:47Z","timestamp":1736590247,"ip_dst":{"addr":"172.18.0.13","port":47668,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"5.135.52.68","port":80,"asn":16276,"as":"OVH SAS","country":"Belgium","country_code":"BE"},"severity":"medium","alert":"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response","source":"{\"timestamp\":\"2025-01-11T10:10:47.870632+0000\",\"flow_id\":1987958960250330,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"5.135.52.68\",\"src_port\":80,\"dest_ip\":\"172.18.0.13\",\"dest_port\":47668,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2021076,\"rev\":2,\"signature\":\"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2015_05_08\"],\"updated_at\":[\"2019_07_26\"]}},\"http\":{\"hostname\":\"5.135.52.68\",\"url\":\"/Bin/ScreenConnect.WindowsClient.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":43170},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":20,\"pkts_toclient\":33,\"bytes_toserver\":1747,\"bytes_toclient\":47074,\"start\":\"2025-01-11T10:10:47.744922+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2025-01-11T10:10:47Z","timestamp":1736590247,"ip_dst":{"addr":"172.18.0.13","port":47668,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"5.135.52.68","port":80,"asn":16276,"as":"OVH SAS","country":"Belgium","country_code":"BE"},"severity":"high","alert":"ETPRO POLICY ScreenConnect Successful Connection Response Inbound","source":"{\"timestamp\":\"2025-01-11T10:10:47.870632+0000\",\"flow_id\":1987958960250330,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"5.135.52.68\",\"src_port\":80,\"dest_ip\":\"172.18.0.13\",\"dest_port\":47668,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2837961,\"rev\":3,\"signature\":\"ETPRO POLICY ScreenConnect Successful Connection Response Inbound\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"affected_product\":[\"Windows_XP_Vista_7_8_10_Server_32_64_Bit\"],\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2019_08_09\"],\"deployment\":[\"Perimeter\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Major\"],\"tag\":[\"ScreenConnect\"],\"updated_at\":[\"2020_08_31\"]}},\"http\":{\"hostname\":\"5.135.52.68\",\"url\":\"/Bin/ScreenConnect.WindowsClient.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":43170},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":20,\"pkts_toclient\":33,\"bytes_toserver\":1747,\"bytes_toclient\":47074,\"start\":\"2025-01-11T10:10:47.744922+0000\"}}"}]}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":null},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2025-01-11","alert":"Sinkholed","trigger":"5.135.52.68","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}]},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null},"http":[{"url":{"schema":"http","addr":"5.135.52.68/Bin/ScreenConnect.WindowsClient.exe","fqdn":"5.135.52.68","domain":"5.135.52.68","tld":""},"ip":{"addr":"5.135.52.68","port":80,"asn":16276,"as":"OVH SAS","country":"Belgium","country_code":"BE"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2025-01-11T10:10:47.746Z","timestamp":1736590247746,"http_version":"HTTP/1.1","security_state":"insecure","security_info":null,"request":{"raw":"GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1\r\nHost: 5.135.52.68\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: ScreenConnect/6.3.13446.6374-132903973\r\nLast-Modified: Tue, 20 Sep 2022 10:00:16 GMT\r\nCache-Control: private\r\nContent-Type: application/octet-stream\r\nDate: Sat, 11 Jan 2025 10:10:47 GMT\r\nContent-Length: 424592\r\nKeep-Alive: timeout=15,max=100\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":424592,"size_decoded":424592,"mime_type":"application/octet-stream","magic":"PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections","md5":"af052871d222261023678c4f2870072a","sha1":"970f98ca8bc85fefc2768bad0554160f06de2ec6","sha256":"7bcee06a3c1e0cc51de7011e3085bb3e1366b39db8fe97562a07db352daf1944","sha512":"93e11c22f8e4694cbce37ca2ab38eddccc8b58fbbad887db026ab138fe2803f30a693013b5d3252b687dd86771fb78133680e1da11c8d37ade9a990de2e8f17b","ssdeep":"6144:9symXDDVjJIToseYTaphRyIa1VrhPPctv4I9QDJuVSvAD4+UqFvhD1VLdw3KL9tI:CymT9Ge+OypHFoof","tlshash":"43948d2533bcdb6bc5ef0b74f0b27a585bb0d912519aeb8f5880a4e91dc67414e083db","first_seen":"2023-04-26T15:31:25Z","last_seen":"2025-03-25T05:07:52.139348Z","times_seen":64,"resource_available":false,"data":null}},"time_used":233,"timings":{"blocked":30,"dns":0,"connect":31,"send":0,"wait":33,"receive":139,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2025-01-11T10:10:47Z","timestamp":1736590247,"ip_dst":{"addr":"5.135.52.68","port":80,"asn":16276,"as":"OVH SAS","country":"Belgium","country_code":"BE"},"ip_src":{"addr":"172.18.0.13","port":47668,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO Executable Download from dotted-quad Host","source":"{\"timestamp\":\"2025-01-11T10:10:47.808847+0000\",\"flow_id\":1987958960250330,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.13\",\"src_port\":47668,\"dest_ip\":\"5.135.52.68\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2016141,\"rev\":9,\"signature\":\"ET INFO Executable Download from dotted-quad Host\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2013_01_03\"],\"deployment\":[\"Perimeter\"],\"performance_impact\":[\"Significant\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2024_04_09\"]}},\"http\":{\"hostname\":\"5.135.52.68\",\"url\":\"/Bin/ScreenConnect.WindowsClient.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1178},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":7,\"bytes_toserver\":691,\"bytes_toclient\":7710,\"start\":\"2025-01-11T10:10:47.744922+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2025-01-11T10:10:47Z","timestamp":1736590247,"ip_dst":{"addr":"172.18.0.13","port":47668,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"5.135.52.68","port":80,"asn":16276,"as":"OVH SAS","country":"Belgium","country_code":"BE"},"severity":"high","alert":"ET POLICY PE EXE or DLL Windows file download HTTP","source":"{\"timestamp\":\"2025-01-11T10:10:47.870632+0000\",\"flow_id\":1987958960250330,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"5.135.52.68\",\"src_port\":80,\"dest_ip\":\"172.18.0.13\",\"dest_port\":47668,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018959,\"rev\":4,\"signature\":\"ET POLICY PE EXE or DLL Windows file download HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"confidence\":[\"High\"],\"created_at\":[\"2014_08_19\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"5.135.52.68\",\"url\":\"/Bin/ScreenConnect.WindowsClient.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":43170},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":20,\"pkts_toclient\":33,\"bytes_toserver\":1747,\"bytes_toclient\":47074,\"start\":\"2025-01-11T10:10:47.744922+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2025-01-11T10:10:47Z","timestamp":1736590247,"ip_dst":{"addr":"172.18.0.13","port":47668,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"5.135.52.68","port":80,"asn":16276,"as":"OVH SAS","country":"Belgium","country_code":"BE"},"severity":"medium","alert":"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response","source":"{\"timestamp\":\"2025-01-11T10:10:47.870632+0000\",\"flow_id\":1987958960250330,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"5.135.52.68\",\"src_port\":80,\"dest_ip\":\"172.18.0.13\",\"dest_port\":47668,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2021076,\"rev\":2,\"signature\":\"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2015_05_08\"],\"updated_at\":[\"2019_07_26\"]}},\"http\":{\"hostname\":\"5.135.52.68\",\"url\":\"/Bin/ScreenConnect.WindowsClient.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":43170},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":20,\"pkts_toclient\":33,\"bytes_toserver\":1747,\"bytes_toclient\":47074,\"start\":\"2025-01-11T10:10:47.744922+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2025-01-11T10:10:47Z","timestamp":1736590247,"ip_dst":{"addr":"172.18.0.13","port":47668,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"5.135.52.68","port":80,"asn":16276,"as":"OVH SAS","country":"Belgium","country_code":"BE"},"severity":"high","alert":"ETPRO POLICY ScreenConnect Successful Connection Response Inbound","source":"{\"timestamp\":\"2025-01-11T10:10:47.870632+0000\",\"flow_id\":1987958960250330,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"5.135.52.68\",\"src_port\":80,\"dest_ip\":\"172.18.0.13\",\"dest_port\":47668,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2837961,\"rev\":3,\"signature\":\"ETPRO POLICY ScreenConnect Successful Connection Response Inbound\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"affected_product\":[\"Windows_XP_Vista_7_8_10_Server_32_64_Bit\"],\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2019_08_09\"],\"deployment\":[\"Perimeter\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Major\"],\"tag\":[\"ScreenConnect\"],\"updated_at\":[\"2020_08_31\"]}},\"http\":{\"hostname\":\"5.135.52.68\",\"url\":\"/Bin/ScreenConnect.WindowsClient.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":43170},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":20,\"pkts_toclient\":33,\"bytes_toserver\":1747,\"bytes_toclient\":47074,\"start\":\"2025-01-11T10:10:47.744922+0000\"}}"}],"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2025-01-11","alert":"Sinkholed","trigger":"5.135.52.68","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-01-10","alert":"Scan result 5/69","trigger":"7bcee06a3c1e0cc51de7011e3085bb3e1366b39db8fe97562a07db352daf1944","verdict":"suspicious","severity":"","comment":"suspicious - 5/69","link":"https://www.virustotal.com/gui/file/7bcee06a3c1e0cc51de7011e3085bb3e1366b39db8fe97562a07db352daf1944","meta":null}],"urlquery":null}}]}