{ "_index": "host_id-4", "_type": "_doc", "_id": "10.6.15.187", "_version": 1, "_score": 1, "_source": { "ip": "10.6.15.187", "host_id": { "hostname_count": 1, "http.user_agent_count": 4, "roles_count": 0, "tls.ja4_count": 8, "services_count": 2, "client_service_count": 5, "username_count": 2, "first_seen": "2025-07-26T03:45:30.740628+00:00", "last_seen": "2025-07-26T03:59:05.621718+00:00", "in_home_net": true, "hostname": [ { "host": "desktop-ys6fz2g", "first_seen": "2025-07-26T03:45:30.840627+00:00", "last_seen": "2025-07-26T03:45:30.840627+00:00" } ], "tls.ja4": [ { "agent": [ "Excel/16.0", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "ManicTime/4.6.22.0", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Tablet PC 2.0)", "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Core/1.77.96.400 QQBrowser/10.9.4619.400", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36 Edg/100.0.1185.36", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Zoom 3.6.0)", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3)", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063", "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36" ], "hash": "t12d190800_d83cc789557e_7af1ed941c26", "first_seen": "2025-07-26T03:45:31.907288+00:00", "last_seen": "2025-07-26T03:48:57.929512+00:00" }, { "agent": [ "Mozilla/5.0 (Linux; Android 11; CPH2145) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Mobile Safari/537.36", "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.3; Win64; x64; Trident/4.0)", "Mozilla/5.0 Lrytas/4.3.3 (Linux; Android 11; SM-A715F Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/92.0.4515.131 Mobile Safari/537.36", "Mozilla/5.0 (Linux; U; Android 11; SM-M405F Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/92.0.4515.131 Mobile Safari/537.36", "Mozilla/5.0 (Linux; Android 11; M2101K7BNY Build/RP1A.200720.011; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/92.0.4515.131 Mobile Safari/537.36", "Mozilla/5.0 (Linux; Android 11; ONEPLUS A3000 Build/RQ3A.210605.005; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/92.0.4515.131 Mobile Safari/537.36", "Mozilla/5.0 (Linux; Android 11; Lenovo TB-7306F Build/RP1A.200720.011; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/92.0.4515.131 Safari/537.36", "Mozilla/5.0 (Linux; Android 11; POCO F1 Build/RQ2A.210405.005; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/92.0.4515.131 Mobile Safari/537.36", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Edg/100.0.1185.44", "Mozilla/5.0 (Linux; Android 11; SM-A415F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36" ], "hash": "t12d210700_76e208dd3e22_2dae41c691ec", "first_seen": "2025-07-26T03:45:35.620622+00:00", "last_seen": "2025-07-26T03:45:42.749510+00:00" }, { "agent": [ "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041", "Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1; Microsoft; Lumia 640 Dual SIM) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Mobile Safari/537.36 Edge/15.15063", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134", "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; TEJB; rv:11.0) like Gecko", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.11.6.17763; 10.0.0.0.17763.973) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763", "Mozilla/5.0 (Windows NT 10.0; Trident/7.0; Touch; rv:11.0) like Gecko", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134 MEMORITY_GEODIS_IWA", "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; IE8Mercury; rv:11.0) like Gecko", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; Touch; rv:11.0) like Gecko", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18363" ], "hash": "t12d1909h2_d83cc789557e_7af1ed941c26", "first_seen": "2025-07-26T03:45:35.660624+00:00", "last_seen": "2025-07-26T03:52:55.176177+00:00" }, { "agent": [ "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; MARKANYWEBDRM#25143; iftNxParam=1.0.1)", "Mozilla/5.0 (Windows NT 6.2; Trident/7.0; rv:11.0) like Gecko; MyIE;", "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Core/1.70.3883.400 QQBrowser/10.8.4580.400", "Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko", "Microsoft Office Excel 2014 (16.0.4849) Windows NT 10.0", "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; printmade=3.0.1.8; wbx 1.0.0)", "Mozilla/5.0", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; Zoom 3.6.0)", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)" ], "hash": "t12d190700_d83cc789557e_2dae41c691ec", "first_seen": "2025-07-26T03:45:35.716179+00:00", "last_seen": "2025-07-26T03:48:37.405076+00:00" }, { "agent": [ "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36 Edg/93.0.961.38", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362", "Mozilla/5.0 (Windows NT 10.0; WOW64; APCPMS=^N20151110104020610397A935B3A4D49AE93F_1050^; Trident/7.0; rv:11.0) like Gecko", "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; TCO_20201026160829; rv:11.0) like Gecko", "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; TCO_20210128081838; rv:11.0) like Gecko", "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko", "Mozilla/5.0 (Windows NT 6.2; Win64; x64; Trident/7.0; .NET CLR 2.4.31066; rv:11.0) like Gecko", "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; .NET CLR 4.1.70608; MASEJS; rv:11.0) like Gecko" ], "hash": "t12d1908h2_d83cc789557e_2dae41c691ec", "first_seen": "2025-07-26T03:45:35.907287+00:00", "last_seen": "2025-07-26T03:51:35.553967+00:00" }, { "hash": "t13d1516h2_8daaf6152771_e5627efa2ab1", "first_seen": "2025-07-26T03:48:31.456184+00:00", "last_seen": "2025-07-26T03:48:33.378401+00:00" }, { "hash": "t13d1515h2_8daaf6152771_f37e75b10bcc", "first_seen": "2025-07-26T03:48:33.458401+00:00", "last_seen": "2025-07-26T03:48:33.458401+00:00" }, { "agent": [ "Dridex (from abuse.ch)" ], "hash": "t12i190600_d83cc789557e_2dae41c691ec", "first_seen": "2025-07-26T03:48:54.716183+00:00", "last_seen": "2025-07-26T03:52:55.800625+00:00" } ], "client_service": [ { "name": "krb5", "first_seen": "2025-07-26T03:45:33.399613+00:00", "last_seen": "2025-07-26T03:45:33.399613+00:00" }, { "name": "dcerpc", "first_seen": "2025-07-26T03:45:37.390472+00:00", "last_seen": "2025-07-26T03:52:13.589653+00:00" }, { "name": "smb", "first_seen": "2025-07-26T03:45:47.437025+00:00", "last_seen": "2025-07-26T03:59:05.621718+00:00" }, { "name": "http", "first_seen": "2025-07-26T03:46:43.233433+00:00", "last_seen": "2025-07-26T03:51:34.571928+00:00" }, { "name": "tls", "first_seen": "2025-07-26T03:47:21.127576+00:00", "last_seen": "2025-07-26T03:54:15.323484+00:00" } ], "username": [ { "user": "horace.maddox@saltmobsters.com", "first_seen": "2025-07-26T03:45:35.136177+00:00", "last_seen": "2025-07-26T03:45:35.136177+00:00" }, { "user": "horace.maddox", "first_seen": "2025-07-26T03:45:35.305066+00:00", "last_seen": "2025-07-26T03:45:35.305066+00:00" } ], "http.user_agent": [ { "agent": "Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.31", "first_seen": "2025-07-26T03:46:33.931740+00:00", "last_seen": "2025-07-26T03:51:27.000625+00:00" }, { "agent": "Microsoft-Delivery-Optimization/10.0", "first_seen": "2025-07-26T03:46:36.049519+00:00", "last_seen": "2025-07-26T03:51:29.140652+00:00" }, { "agent": "Microsoft-CryptoAPI/10.0", "first_seen": "2025-07-26T03:46:41.840622+00:00", "last_seen": "2025-07-26T03:51:31.738412+00:00" }, { "agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36 Edg/91.0.864.48", "first_seen": "2025-07-26T03:48:34.476187+00:00", "last_seen": "2025-07-26T03:48:34.476187+00:00" } ], "services": [ { "proto": "tcp", "port": 445, "values": [ { "first_seen": "2025-07-26T03:46:34.289604+0000", "last_seen": "2025-07-26T03:46:34.289604+0000", "app_proto": "smb" }, { "first_seen": "2025-07-26T03:46:33.241444+0000", "last_seen": "2025-07-26T03:46:33.241444+0000", "app_proto": "unknown" } ] } ], "tenant": 4 } } }