{ "_index": "host_id-4", "_type": "_doc", "_id": "10.7.5.5", "_version": 2, "_score": 1, "_source": { "ip": "10.7.5.5", "host_id": { "hostname_count": 1, "http.user_agent_count": 5, "roles_count": 2, "tls.ja4_count": 5, "services_count": 10, "client_service_count": 3, "username_count": 0, "first_seen": "2025-07-26T03:52:56.329531+00:00", "last_seen": "2025-07-26T04:00:47.431258+00:00", "in_home_net": true, "hostname": [ { "host": "phantasmedia-dc.phantasmedia.com", "first_seen": "2025-07-26T03:52:56.336180+00:00", "last_seen": "2025-07-26T03:52:56.336180+00:00" } ], "net_info": [ { "agg": "user.emrbu.org.affected-users", "first_seen": "2025-07-26T03:52:59.477618+00:00", "last_seen": "2025-07-26T04:00:47.431258+00:00" } ], "roles": [ { "name": "dhcp", "first_seen": "2025-07-26T03:52:57.189517+00:00", "last_seen": "2025-07-26T03:52:57.189517+00:00" }, { "name": "domain controller", "first_seen": "2025-07-26T03:52:59.477618+00:00", "last_seen": "2025-07-26T03:54:23.304064+00:00" } ], "tls.ja4": [ { "agent": [ "Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/604.1.34 (KHTML, like Gecko) CriOS/68.0.3440.83 Mobile/16A5366a Safari/604.1", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.25 Safari/537.36 Core/1.70.3868.400 QQBrowser/10.8.4394.400", "Malware Test FP: trickbot-infection-from-usdata.estoreseller.com, malspam-infection-traffic, upatre-malspam-infection-traffic, etc.", "Malware Test FP: trickbot-infection-from-usdata.estoreseller.com, malspam-infection-traffic, upatre-malspam-infection-traffic, fedex-malspam-sends-kovter, trickbot-infection-from-carriereiter.com.exe, kovter-nemucodaes-malspam-traffic, necurs-botnet-malsp" ], "hash": "t10i120300_d94e65cdb899_5f12c91e28fe", "first_seen": "2025-07-26T03:53:18.909523+00:00", "last_seen": "2025-07-26T03:54:44.453972+00:00" }, { "agent": [ "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)", "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html\t", "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)", "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:64.0) Gecko/20100101 Firefox/64.0", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0", "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)", "Non-Specific Microsoft Socket" ], "hash": "t10d120400_d94e65cdb899_5f12c91e28fe", "first_seen": "2025-07-26T03:53:18.967324+00:00", "last_seen": "2025-07-26T03:53:18.967324+00:00" }, { "agent": [ "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/78.0.3904.108 Safari/537.36" ], "hash": "t13d591000_a33745022dd6_5ac7197df9d2", "first_seen": "2025-07-26T03:53:53.356195+00:00", "last_seen": "2025-07-26T03:54:45.205075+00:00" }, { "agent": [ "Mozilla/5.0 (Linux; U; Android 9; zh-cn; PBBM00 Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/70.0.3538.80 Mobile Safari/537.36 HeyTapBrowser/10.7.34.0.1beta", "Mozilla/5.0 (Linux; Android 9; MRD-LX1F Build/HUAWEIMRD-LX1F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36", "Mozilla/5.0 (Linux; Android 9; RMX1941 Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36 OPR/48.2.2331.133274", "Mozilla/5.0 (Linux; U; Android 12; zh-cn; PEEM00 Build/SKQ1.210216.001) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/70.0.3538.80 Mobile Safari/537.36 HeyTapBrowser/40.7.36.1", "Mozilla/5.0 (Linux; U; Android 8.1.0; en-us; PBBT30 Build/OPM1.171019.026) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/70.0.3538.80 Mobile Safari/537.36 HeyTapBrowser/10.7.11.3", "Mozilla/5.0 (Linux; Android 7.0; SLA-L22 Build/HUAWEISLA-L22; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/70.0.3538.110 Mobile Safari/537.36 [FB_IAB/FB4A;FBAV/342.0.0.37.119;]", "Mozilla/5.0 (Linux; U; Android 5.1.1; zh-cn; OPPO R7sm Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/70.0.3538.80 Mobile Safari/537.36 HeyTapBrowser/10.7.16.2", "Mozilla/5.0 (Linux; Android 8.1.0; SM-G610M Build/M1AJQ; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/70.0.3538.110 Mobile Safari/537.36", "Mozilla/5.0 (Linux; Android 8.0.0; SM-J330F Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/69.0.3497.100 Mobile Safari/537.36 [FB_IAB/FB4A;FBAV/305.1.0.40.120;]", "Mozilla/5.0 (Linux; U; Android 11; en-us; CPH2119 Build/RP1A.200720.011) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/70.0.3538.80 Mobile Safari/537.36 HeyTapBrowser/45.7.5.9" ], "hash": "t12d1311h2_8b80da21ef18_77989cba1f4a", "first_seen": "2025-07-26T03:54:40.473967+00:00", "last_seen": "2025-07-26T03:54:40.487306+00:00" }, { "agent": [ "Mozilla/5.0 (Linux; Android 7.0; VIE-L09 Build/HUAWEIVIE-L09) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36", "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36", "Mozilla/5.0 (Linux; Android 8.1.0; SM-T580 Build/M1AJQ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36", "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36", "visual studio code 1.37.0-insider electron 4.2.5 ubuntu 18.04" ], "hash": "t12d1312h2_8b80da21ef18_b00751acaffa", "first_seen": "2025-07-26T03:54:40.562853+00:00", "last_seen": "2025-07-26T03:54:40.567295+00:00" } ], "http.user_agent": [ { "agent": "test", "first_seen": "2025-07-26T03:53:23.980627+00:00", "last_seen": "2025-07-26T03:53:23.980627+00:00" }, { "agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)", "first_seen": "2025-07-26T03:53:24.198417+00:00", "last_seen": "2025-07-26T03:53:24.198417+00:00" }, { "agent": "WinHTTP sender/1.0", "first_seen": "2025-07-26T03:53:27.207296+00:00", "last_seen": "2025-07-26T03:53:27.207296+00:00" }, { "agent": "WinHTTP loader/1.0", "first_seen": "2025-07-26T03:53:28.609527+00:00", "last_seen": "2025-07-26T03:53:28.609527+00:00" }, { "agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", "first_seen": "2025-07-26T03:53:59.991754+00:00", "last_seen": "2025-07-26T03:54:30.622848+00:00" } ], "client_service": [ { "name": "http", "first_seen": "2025-07-26T03:53:27.425207+00:00", "last_seen": "2025-07-26T03:54:36.349078+00:00" }, { "name": "smb", "first_seen": "2025-07-26T03:53:36.442714+00:00", "last_seen": "2025-07-26T03:53:36.442714+00:00" }, { "name": "tls", "first_seen": "2025-07-26T03:54:48.286250+00:00", "last_seen": "2025-07-26T03:56:21.032496+00:00" } ], "net_info_count": 1, "services": [ { "proto": "udp", "port": 53, "values": [ { "first_seen": "2025-07-26T03:52:56.331735+0000", "last_seen": "2025-07-26T03:54:44.391742+0000", "app_proto": "dns" } ] }, { "proto": "udp", "port": 67, "values": [ { "first_seen": "2025-07-26T03:52:57.189517+0000", "last_seen": "2025-07-26T03:52:57.189517+0000", "app_proto": "dhcp" } ] }, { "proto": "tcp", "port": 88, "values": [ { "first_seen": "2025-07-26T03:52:59.477618+0000", "last_seen": "2025-07-26T03:53:09.462670+0000", "app_proto": "krb5" } ] }, { "proto": "tcp", "port": 135, "values": [ { "first_seen": "2025-07-26T03:53:07.468229+0000", "last_seen": "2025-07-26T03:54:24.299147+0000", "app_proto": "dcerpc" } ] }, { "proto": "tcp", "port": 389, "values": [ { "first_seen": "2025-07-26T03:52:59.485346+0000", "last_seen": "2025-07-26T03:53:42.402969+0000", "app_proto": "unknown" } ] }, { "proto": "tcp", "port": 445, "values": [ { "first_seen": "2025-07-26T03:53:03.479425+0000", "last_seen": "2025-07-26T03:54:23.304064+0000", "app_proto": "smb" }, { "first_seen": "2025-07-26T03:53:13.458343+0000", "last_seen": "2025-07-26T03:54:24.313276+0000", "app_proto": "unknown" } ] }, { "proto": "tcp", "port": 3268, "values": [ { "first_seen": "2025-07-26T03:53:12.509246+0000", "last_seen": "2025-07-26T03:54:20.310041+0000", "app_proto": "unknown" } ] }, { "proto": "tcp", "port": 49155, "values": [ { "first_seen": "2025-07-26T03:53:06.461585+0000", "last_seen": "2025-07-26T03:54:03.344922+0000", "app_proto": "dcerpc" } ] }, { "proto": "tcp", "port": 49158, "values": [ { "first_seen": "2025-07-26T03:53:08.465579+0000", "last_seen": "2025-07-26T03:53:17.446349+0000", "app_proto": "dcerpc" } ] } ], "tenant": 4 } } }