{
"cells": [
{
"cell_type": "markdown",
"source": [
"# Getting Started with Azure ML Notebooks and Microsoft Sentinel\n",
"\n",
"---\n",
"\n",
"## Pre-requisites\n",
"- Log Analytics *Reader* permissions on the Microsoft Sentinel workspace\n",
"- Python 3.8 notebook kernel (`Python 3.8 - Azure ML`)\n",
"\n",
"# Contents\n",
"\n",
"1. **Introduction**
\n",
" 1.1 What is a Jupyter notebook?
\n",
" 1.2 Running code in notebooks
\n",
"2. **Initializing the notebook and MSTICPy**
\n",
"3. **Querying Data from Microsoft Sentinel**
\n",
" 3.1 Verifying Microsoft Sentinel settings
\n",
" 3.2 (Optional) Configure your Azure Cloud
\n",
" 3.3 Load a QueryProvider for Microsoft Sentinel
\n",
" 3.4 Authenticate to the Microsoft Sentinel workspace
\n",
" 3.5 Test your connection using a MSTICPy built-in Microsoft Sentinel query
\n",
"4. **Configure and test external data providers (VirusTotal and Maxmind GeoLite2)**
\n",
" 4.1 (Optional) Configure Azure Key Vault to store secrets
\n",
" 4.2 Testing VirusTotal Lookup
\n",
" 4.3 Testing IP geolocation lookup with Maxmind GeoLite2
\n",
"5. **Conclusion and Next Steps**
\n",
"6. **Further Resources**
\n",
"7. **FAQs - Frequently Asked Questions**\n"
],
"metadata": {}
},
{
"cell_type": "markdown",
"source": [
"\n",
"---\n",
"\n",
"# 1. Introduction\n",
"\n",
"This notebook takes you through the basics needed to get started with Azure Machine Learning (ML) Notebooks and Microsoft Sentinel.\n",
"\n",
"
Warning. Due to rendering issues in Azure Machine Learning, we strongly recommend running this notebook in Jupyter Lab or VSCode.
\n", "Please run the the code cells in sequence. Skipping cells will result in errors.
\n", "If you encounter any unexpected errors or warnings please see the FAQ at the end of this notebook.
\n", "\n",
"Tip: You can identify which cells are code cells by selecting them.
\n",
"In Azure ML notebooks and VSCode, code cells have a larger border\n",
"on the left side with a \"Play\" button to execute the cell.
\n",
"In other notebook environments code and markdown cells will have\n",
"different styles but it's usually easy to distinguish them.\n",
"
\n", "`init_notebook` does some of the tedious work of importing other packages, \n", "checking configuration (we'll get to configuration in a moment) and, optionally,\n", "installing other required packages.
\n", "1. Don't be alarmed if you see configuration warnings (such as \"Missing msticpyconfig.yaml\").
\n",
"We haven't configured anything yet, so this is expected.
2. You may also see some warnings about package version conflicts. It is usually safe\n", "to ignore these.
\n", "\n", " Although you don't need to know these details now, you can find more information here:\n", "
\n", "If you need a more complete walk-through of configuration, we have a separate notebook to help you:
\n", "Tip:\n",
"If you do not see a \"msticpyconfig.yaml\" file in your user folder, click the refresh button
\n",
"at the top of the file browser.\n",
"
If you have multiple Microsoft Sentinel workspaces, you can add\n", " them in the following configuration cell.
\n", "You can choose to keep one as the default or just delete this entry\n", " if you always want to name your workspaces explicitly when you \n", " connect.\n", "
\n", "Note:\n", "This is not required if using the Azure Global cloud (most common)\n", "and you can skip this step.
\n", "\n", "If the domain of your Microsoft Sentinel or Azure Machine learning does\n", "not end with '.azure.com' you should set the appropriate cloud\n", "for your organization.\n", "\n", "If you change to a different cloud, hit **Update** and **Save Settings** to write\n", "the changes to your configuration file." ], "metadata": {} }, { "cell_type": "code", "source": [ "display(mpedit)\n", "mpedit.set_tab(\"Azure\")\n" ], "outputs": [ { "output_type": "display_data", "data": { "text/plain": "VBox(children=(Tab(children=(VBox(children=(Label(value='Microsoft Sentinel workspace settings'), HBox(childre…", "application/vnd.jupyter.widget-view+json": { "version_major": 2, "version_minor": 0, "model_id": "8edf53ee5ad247a180dd31cc1da28fef" } }, "metadata": {} } ], "execution_count": 10, "metadata": { "gather": { "logged": 1684964030941 } } }, { "cell_type": "markdown", "source": [ "## 3.3 Load a QueryProvider for Microsoft Sentinel\n", "\n", "To start, we are going to load up a `QueryProvider`\n", "for Microsoft Sentinel. The `QueryProvider` is the object you use to\n", "querying data from MS Sentinel and make it available to view and analyze in the notebook.\n", "There are two steps to do this:\n", "1. Create the `QueryProvider`\n", "2. run the `connect` function to authenticate to the Sentinel workspace.\n", "\n", "Query results are always returned as pandas DataFrames.
\n", "If you are new\n", "to using pandas look at the Introduction to Pandas section at in\n", "the A Tour of Cybersec notebook features notebook.
\n", "\n", "The query provider supports other data sources, as well as Microsoft Sentinel.
\n", "\n", "Other data sources supported by the `QueryProvider` class include Microsoft Defender for Endpoint,\n", "Splunk, Microsoft Graph API, Azure Resource Graph but these are not covered here.\n", "
\n", "\n", "Most query providers come with a range of built-in queries\n", "for common data operations. You can also a query provider to run custom queries against\n", "Microsoft Sentinel data.\n", "
\n", "Device authentication uses a unique code generated on your client\n", "as an additional authentication factor. When prompted, you copy\n", "the code, open a browser to http://microsoft.com/devicelogin and paste\n", "it in. Then follow the interactive authentication flow.
\n", "\n", "Azure CLI authentication requires you to logon (in the notebook or \n", "a terminal) before authenticating to Microsoft Sentinel\n", "az login\n", " \n", "
You can change the authentication option used when calling \"connect\"\n",
"with the following.
\n",
"To force Device authentication add the following parameter\n",
"to the connect call\n",
"
\n", "qry_prov.connect(ws_config, mp_az_auth=False)\n", "\n", "\n", "
\n", "To use Azure CLI authentication:\n", "
\n", "qry_prov.connect(ws_config, mp_az_auth=[\"cli\"])\n", "\n", "\n", "
ws_config = WorkspaceConfig(workspace=\"WorkspaceName\")\n", "'WorkspaceName' should be one of the workspaces defined in msticpyconfig.yaml\n", "
\n | TenantId | \nTimeGenerated | \nAlertDisplayName | \nAlertName | \nSeverity | \nDescription | \nProviderName | \nVendorName | \nVendorOriginalId | \nSystemAlertId | \nResourceId | \nSourceComputerId | \nAlertType | \nConfidenceLevel | \nConfidenceScore | \nIsIncident | \nStartTimeUtc | \nEndTimeUtc | \nProcessingEndTime | \nRemediationSteps | \nExtendedProperties | \nEntities | \nSourceSystem | \nWorkspaceSubscriptionId | \nWorkspaceResourceGroup | \nExtendedLinks | \nProductName | \nProductComponentName | \nAlertLink | \nStatus | \nCompromisedEntity | \nTactics | \nType | \n
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n8ecf8077-cf51-4820-aadd-14040956f35d | \n2021-12-21 20:01:15.205000+00:00 | \nSign-in from an unfamiliar location | \nSign-in from an unfamiliar location | \nLow | \nThis indicates suspicious login by JeffL to Amsterdam,Noord-Holland,Netherlands from IP: 117.30.... | \nIPC | \nMicrosoft | \n088efa1064dda0c95843406b3b0326a47854652addd94a236c411a949624776d | \n183185f6-0825-6fe3-1f4b-96235a6592f7 | \n\n | \n | UnfamiliarLocation | \n\n | NaN | \nFalse | \n2021-12-21 19:00:51.129000+00:00 | \n2021-12-21 19:58:00+00:00 | \n2021-12-21 20:01:14.896000+00:00 | \n\n | {\\r\\n \"IpAddress\": \"117.30.165.58\",\\r\\n \"FusionSyntheticAlert\": \"true\",\\r\\n \"TenantId\": \"72f9... | \n[\\r\\n {\\r\\n \"$id\": \"3\",\\r\\n \"Name\": \"JeffL\",\\r\\n \"UPNSuffix\": \"seccxpninja.onmicrosoft... | \nDetection | \n\n | \n | \n | Azure Active Directory Identity Protection | \n\n | \n | New | \n\n | Exploitation | \nSecurityAlert | \n
1 | \n8ecf8077-cf51-4820-aadd-14040956f35d | \n2021-12-21 20:01:15.556000+00:00 | \nSign-in from an anonymous IP | \nSign-in from an anonymous IP | \nLow | \nThis indicates suspicious login by JeffL to Amsterdam,Noord-Holland,Netherlands from IP: 117.30.... | \nIPC | \nMicrosoft | \na0aa8f7044c258464916a4fb9ae02d9752b374a64bb9ede694e977e22622ba47 | \n8ca95a45-e423-f834-cbc4-fb1a829a0205 | \n\n | \n | AnonymousLogin | \n\n | NaN | \nFalse | \n2021-12-21 19:10:44.195000+00:00 | \n2021-12-21 19:58:00+00:00 | \n2021-12-21 20:01:14.896000+00:00 | \n\n | {\\r\\n \"IpAddress\": \"117.30.165.58\",\\r\\n \"FusionSyntheticAlert\": \"true\",\\r\\n \"TenantId\": \"72f9... | \n[\\r\\n {\\r\\n \"$id\": \"3\",\\r\\n \"Name\": \"JeffL\",\\r\\n \"UPNSuffix\": \"seccxpninja.onmicrosoft... | \nDetection | \n\n | \n | \n | Azure Active Directory Identity Protection | \n\n | \n | New | \n\n | Exploitation | \nSecurityAlert | \n
2 | \n8ecf8077-cf51-4820-aadd-14040956f35d | \n2021-12-21 20:01:15.077000+00:00 | \nImpossible travel to atypical locations | \nImpossible travel to atypical locations | \nLow | \nThis indicates suspicious login by JeffL to Amsterdam,Noord-Holland,Netherlands from IP: 117.30.... | \nIPC | \nMicrosoft | \n4ae272875012e62d309987fbe6994fd9b8c4d0b2b849b93ce0b604f258822ea1 | \nd875eb38-8d70-a8c1-ca2b-6bdfdb3c57b7 | \n\n | \n | ImpossibleTravel | \n\n | NaN | \nFalse | \n2021-12-21 19:23:24.852000+00:00 | \n2021-12-21 19:58:00+00:00 | \n2021-12-21 20:01:14.896000+00:00 | \n\n | {\\r\\n \"IpAddress\": \"117.30.165.58\",\\r\\n \"FusionSyntheticAlert\": \"true\",\\r\\n \"TenantId\": \"72f9... | \n[\\r\\n {\\r\\n \"$id\": \"3\",\\r\\n \"Name\": \"JeffL\",\\r\\n \"UPNSuffix\": \"seccxpninja.onmicrosoft... | \nDetection | \n\n | \n | \n | Azure Active Directory Identity Protection | \n\n | \n | New | \n\n | Exploitation | \nSecurityAlert | \n
3 | \n8ecf8077-cf51-4820-aadd-14040956f35d | \n2021-12-21 20:01:16.232000+00:00 | \nSuspicious inbox forwarding | \nSuspicious inbox forwarding | \nLow | \nThe user JeffL@seccxpninja.onmicrosoft.com created or updated an inbox forwarding rule that forw... | \nMCAS | \nMicrosoft | \n7dff714321c5ef88a13ddbd2674590f98e2c3b0f7599caca792061116a39feb7 | \nf220de35-08c6-a363-15e2-af898e933755 | \n\n | \n | MCAS_ALERT_ANUBIS_INBOX_FORWARDING | \n\n | NaN | \nFalse | \n2021-12-21 20:02:00+00:00 | \n2021-12-21 20:49:10.838000+00:00 | \n2021-12-21 20:01:14.896000+00:00 | \n\n | {\\r\\n \"DummyIpAddress\": \"117.30.165.58\",\\r\\n \"FusionSyntheticAlert\": \"true\",\\r\\n \"TenantId\": ... | \n[\\r\\n {\\r\\n \"$id\": \"3\",\\r\\n \"Name\": \"JeffL\",\\r\\n \"UPNSuffix\": \"seccxpninja.onmicrosoft... | \nDetection | \n\n | \n | \n | Microsoft Cloud App Security | \n\n | \n | New | \n\n | Exfiltration | \nSecurityAlert | \n
4 | \n8ecf8077-cf51-4820-aadd-14040956f35d | \n2021-12-21 20:01:15.780000+00:00 | \nMass delete | \nMass delete | \nLow | \nThe user JeffL@seccxpninja.onmicrosoft.com deleted more than 9,448 unique objects in a single se... | \nMCAS | \nMicrosoft | \n519f06a014d7fbe11c449e4e1747153c0e0a8f744a53f7d4d6fe1d9b1385479b | \n86e1d88c-db02-1664-a6b9-1a2dd8e0ab47 | \n\n | \n | MCAS_ALERT_ANUBIS_DETECTION_REPEATED_ACTIVITY_DELETE | \n\n | NaN | \nFalse | \n2021-12-21 20:02:00+00:00 | \n2021-12-21 20:59:08.871000+00:00 | \n2021-12-21 20:01:14.896000+00:00 | \n\n | {\\r\\n \"DummyIpAddress\": \"117.30.165.58\",\\r\\n \"FusionSyntheticAlert\": \"true\",\\r\\n \"TenantId\": ... | \n[\\r\\n {\\r\\n \"$id\": \"3\",\\r\\n \"Name\": \"JeffL\",\\r\\n \"UPNSuffix\": \"seccxpninja.onmicrosoft... | \nDetection | \n\n | \n | \n | Microsoft Cloud App Security | \n\n | \n | New | \n\n | Execution | \nSecurityAlert | \n
\n",
"Warning If you are using a VT enterprise key we do not recommend storing this\n",
"in the msticpyconfig.yaml file. \n",
" For more details see the\n",
" \n",
" MSTICPy GeoIP Providers documentation\n",
" \n",
"
\n",
"MSTICPy supports storage of secrets in\n",
"Azure Key Vault if you configured this in the previous step.\n",
"\n",
"\n",
"As well as VirusTotal, we also support a range\n",
"of other threat intelligence providers. You can read more about that here:\n",
"[MSTICPy TI Providers](https://msticpy.readthedocs.io/en/latest/data_acquisition/TIProviders.html)\n",
"\n",
"### Instructions\n",
"\n",
"To add the VirusTotal details, run the following cell.\n",
"\n",
"1. Select \"VirusTotal\" from the **Add prov** drop down\n",
"2. Click the **Add** button\n",
"3. In the left-side Details panel select **Text** as the Storage option.\n",
"4. Paste the API key in the **Value** text box.\n",
"5. Click the **Update** button to confirm your changes.\n",
"\n",
"Your changes are not yet saved to your configuration file. To\n",
"do this, click on the **Save Settings** button at the bottom of the dialog.\n",
"\n",
"If you are unclear about what anything in the configuration editor means, use the **Help** drop-down. This\n",
"has instructions and links to more detailed documentation.\n"
],
"metadata": {}
},
{
"cell_type": "code",
"source": [
"mpe = msticpy.MpConfigEdit()\n",
"mpe\n"
],
"outputs": [
{
"output_type": "display_data",
"data": {
"application/vnd.jupyter.widget-view+json": {
"model_id": "d712c52f75fe4883a19a11f563b1115f",
"version_major": 2,
"version_minor": 0
},
"text/plain": "Label(value='Loading. Please wait.')"
},
"metadata": {}
},
{
"output_type": "display_data",
"data": {
"application/vnd.jupyter.widget-view+json": {
"model_id": "1782fe2ae4624828bddc3efa388c0cfc",
"version_major": 2,
"version_minor": 0
},
"text/plain": "VBox(children=(Tab(children=(VBox(children=(Label(value='Microsoft Sentinel workspace settings'), HBox(childre…"
},
"metadata": {}
}
],
"execution_count": 10,
"metadata": {}
},
{
"cell_type": "code",
"source": [
"display(mpedit)\n",
"mpedit.set_tab(\"TI Providers\")\n"
],
"outputs": [
{
"output_type": "display_data",
"data": {
"application/vnd.jupyter.widget-view+json": {
"model_id": "b3a706d69d3f4812ab95091a943a81d1",
"version_major": 2,
"version_minor": 0
},
"text/plain": "VBox(children=(Tab(children=(VBox(children=(Label(value='Microsoft Sentinel workspace settings'), HBox(childre…"
},
"metadata": {}
}
],
"execution_count": 11,
"metadata": {}
},
{
"cell_type": "markdown",
"source": [
"Our notebooks commonly use IP geo-location information. \n",
"In order to enable this we are going to set up [MaxMind GeoLite2](https://www.maxmind.com)\n",
"to provide geolocation lookup services for IP addresses.\n",
"\n",
"GeoLite2 uses a downloaded database which requires an account key to download.\n",
"You can sign up for a free account and a license key at \n",
"[The Maxmind signup page - https://www.maxmind.com/en/geolite2/signup](https://www.maxmind.com/en/geolite2/signup).\n",
"
\n",
"\n",
"Using IPStack as an alernative to GeoLite2...
\n",
"
\n",
"\n",
"Once, you have an account, run the following cell to add the Maxmind GeopIP Lite details to your configuration.\n",
"\n",
"### Instructions\n",
"\n",
"The procedure is similar to the one we used for VirusTotal:\n",
"\n",
"1. Select the \"GeoIPLite\" provider from the **Add prov** drop-down\n",
"2. Click **Add**\n",
"3. Select **Text** Storage and paste the license (API/Auth) key into the text box\n",
"4. Click **Update**\n",
"5. Click **Save Settings** to write your settings to your configuration.\n"
],
"metadata": {}
},
{
"cell_type": "code",
"source": [
"display(mpedit)\n",
"mpedit.set_tab(\"GeoIP Providers\")\n"
],
"outputs": [
{
"output_type": "display_data",
"data": {
"application/vnd.jupyter.widget-view+json": {
"model_id": "b3a706d69d3f4812ab95091a943a81d1",
"version_major": 2,
"version_minor": 0
},
"text/plain": "VBox(children=(Tab(children=(VBox(children=(Label(value='Microsoft Sentinel workspace settings'), HBox(childre…"
},
"metadata": {}
}
],
"execution_count": 12,
"metadata": {}
},
{
"cell_type": "markdown",
"source": [
"---\n",
"\n",
"## 4.1. Testing VirusTotal Lookup\n",
"\n",
"Threat intelligence and IP location are two common enrichments that you might apply to queried data.\n",
"\n",
"Let's test the VirusTotal provider with a known bad IP Address.\n",
"\n",
"Learn more...
\n",
" \n",
"
\n",
"
"
],
"metadata": {}
},
{
"cell_type": "code",
"source": [
"# Refresh any config items that saved\n",
"# to the msticpyconfig in the previous steps.\n",
"msticpy.settings.refresh_config()\n",
"\n",
"# Create our TI provider\n",
"ti = TILookup()\n",
"\n",
"# Lookup an IP Address\n",
"ti_resp = ti.lookup_ioc(\"85.214.149.236\", providers=[\"VirusTotal\"])\n",
"\n",
"ti_df = ti.result_to_df(ti_resp)\n",
"ti.browse_results(ti_df, severities=\"all\")"
],
"outputs": [
{
"output_type": "stream",
"name": "stdout",
"text": "Using Open PageRank. See https://www.domcop.com/openpagerank/what-is-openpagerank\n"
},
{
"output_type": "display_data",
"data": {
"application/vnd.jupyter.widget-view+json": {
"model_id": "0c32d03deb0d42d59da17a89f238c544",
"version_major": 2,
"version_minor": 0
},
"text/plain": "VBox(children=(Text(value='', description='Filter:', style=DescriptionStyle(description_width='initial')), Sel…"
},
"metadata": {}
},
{
"output_type": "display_data",
"data": {
"text/html": "
VirusTotal | |
verbose_msg | IP address in dataset |
response_code | 1 |
positives | 69 |
detected_urls | ['http://85.214.149.236/sugarcrm/themes/default/images/', 'http://85.214.149.236:443/sugarcrm/themes/default/images/stock.jpg', 'http://85.214.149.236:443/sugarcrm/themes/default/images/', 'http://dl1.chimaera.cc/', 'http://85.214.149.236/', 'http://85.214.149.236/sugarcrm/themes/default/images/sugarlogic/.../tntb/containerpwn', 'http://85.214.149.236/sugarcrm/themes/default/images/SugarLogic/.../TNTb/ContainerPwn'] |
detected_downloaded_samples | [] |
detected_communicating_samples | ['c8895af7e57cf693d1dde9b3a361d03f14be0cdb2ee9c121496ea0315f06636a'] |
{'as_owner': 'Strato AG',\n
'asn': 6724,
'country': 'DE',
'detected_communicating_samples': [{'date': '2021-11-22 10:45:43',
'positives': 26,
'sha256': 'c8895af7e57cf693d1dde9b3a361d03f14be0cdb2ee9c121496ea0315f06636a',
'total': 72},
{'date': '2021-09-24 21:40:34',
'positives': 32,
'sha256': '36bf7b2ab7968880ccc696927c03167b6056e73043fd97a33d2468383a5bafce',
'total': 73},
{'date': '2021-09-10 17:06:30',
'positives': 2,
'sha256': '132083d595f67afb43740f78b802015944c8e440bc5d42f54fc26522cba8e71b',
'total': 73},
{'date': '2021-09-10 17:05:47',
'positives': 2,
'sha256': '1b1d8a2cbb4b31bb9ee3ef94b788e882f40a9689ff90b17cb2c05bef50d5bdc8',
'total': 73},
{'date': '2021-08-22 17:26:46',
'positives': 2,
'sha256': 'fa9b38a2bd1acfd6b1b24af27cb82ea5620502d7e9cb8a913dceb897f2bcf87c',
'total': 73},
{'date': '2021-08-18 08:51:58',
'positives': 15,
'sha256': 'a4000315471cf197c0552aeec0e7afbe0a935b86ff9afe5b1443812d3f7185fa',
'total': 75},
{'date': '2021-08-15 11:10:16',
'positives': 1,
'sha256': '7bb1bd97dc93f0acf22eff6a5cbd9be685d18c8dbc982a24219928159c916c69',
'total': 73},
{'date': '2021-08-15 11:10:45',
'positives': 1,
'sha256': '451a4cbb6b931d8bb8392f08e7c9ec517b1b1ef06f42e1c8105e4feaafd6b157',
'total': 73},
{'date': '2021-07-29 04:49:18',
'positives': 1,
'sha256': '3cc54142b5f88d03fb0552a655e32e94f366c9e3bb387404c6f381cfea506867',
'total': 74},
{'date': '2021-07-26 16:18:47',
'positives': 1,
'sha256': '6c8a2ba339141b93c67f9d79d86a469da75bfbc69f128a6ed702a6e3925d5a29',
'total': 74},
{'date': '2021-06-11 01:23:22',
'positives': 13,
'sha256': 'ab12b5d03f8467a1089d3d40ef9c4a54fb16ee61bb68714040e9edf96b5e763f',
'total': 74},
{'date': '2021-06-10 07:31:53',
'positives': 30,
'sha256': '1aaf7bc48ff75e870db4fe6ec0b3ed9d99876d7e2fb3d5c4613cca92bbb95e1b',
'total': 75},
{'date': '2021-05-17 21:40:23',
'positives': 13,
'sha256': '39ac019520a278e350065d12ebc0c24201584390724f3d8e0dc828664fee6cae',
'total': 74},
{'date': '2021-05-12 12:46:23',
'positives': 6,
'sha256': 'b60ffcc7153650d6a232b1cb249924b0c6384c27681860eb13b12f4705bc0a05',
'total': 75},
{'date': '2021-05-11 08:32:51',
'positives': 14,
'sha256': '1ad0104478301e73e3f49cdeb10f8c1a1d54bccf9248e34ff81352598f112e6b',
'total': 75},
{'date': '2021-04-21 10:08:11',
'positives': 16,
'sha256': '7b6f7c48256a8df2041e8726c3490ccb6987e1a76fee947e148ea68eee036889',
'total': 76},
{'date': '2021-03-31 15:34:40',
'positives': 20,
'sha256': 'ae3e4a1c8a2b661265e6c8c756e3ba472dc7177cae79fe1861ab0c2d1af5167a',
'total': 75},
{'date': '2021-03-27 04:35:12',
'positives': 22,
'sha256': '3b280a4017ef2c2aef4b3ed8bb47516b816166998462899935afb39b533890ad',
'total': 75},
{'date': '2020-08-18 19:53:07',
'positives': 3,
'sha256': '0742efecbd7af343213a50cc5fd5cd2f8475613cfe6fb51f4296a7ec4533940d',
'total': 74}],
'detected_downloaded_samples': [{'date': '2021-11-13 17:03:39',
'positives': 18,
'sha256': '9245bb5d788677b0d5052eabf3897fa651e86110c6c32421821749eac0390e48',
'total': 72},
{'date': '2021-11-06 07:09:36',
'positives': 28,
'sha256': '33c8591edd61c6e968e727683a63fba0352b5b6b59a0b3005628c38848dd7dd3',
'total': 74},
{'date': '2021-10-22 08:14:33',
'positives': 25,
'sha256': 'f1a788466de258751a50e78cc97212c379e96b48e0ea22d62471083abd1346ef',
'total': 74},
{'date': '2021-09-09 10:17:59',
'positives': 3,
'sha256': '7bb1bd97dc93f0acf22eff6a5cbd9be685d18c8dbc982a24219928159c916c69',
'total': 72},
{'date': '2021-08-01 07:08:07',
'positives': 25,
'sha256': '4d7079a55d6d56973448fe0097724da16d72e1ac9db3bfce251eb39535fdbe0b',
'total': 74},
{'date': '2021-09-08 14:04:43',
'positives': 1,
'sha256': '08ed971ffbd71fc91f970c763313a1e7e37787346c2515a03e6dd9bab1a3f2a8',
'total': 72},
{'date': '2021-09-08 07:06:15',
'positives': 23,
'sha256': '2075c0835573b0004908da84e99f76960a13ea865b9effa847e3f61d43eff867',
'total': 74},
{'date': '2021-06-29 11:54:16',
'positives': 26,
'sha256': '75a733d99d72d1d0d6ca99ec852d97ae8c515ed136e12195e96adf6df7bbad41',
'total': 75},
{'date': '2021-07-12 18:36:35',
'positives': 18,
'sha256': 'be225e89211a3667e758a133bf75270daf1bb000672b5b4ba7b6337166e1c6f7',
'total': 75},
{'date': '2021-08-01 07:30:29',
'positives': 34,
'sha256': 'e15550481e89dbd154b875ce50cc5af4b49f9ff7b837d9ac5b5594e5d63966a3',
'total': 69},
{'date': '2021-06-16 21:05:31',
'positives': 16,
'sha256': 'e9c16ae54a5ca74c9e14adf940417831d560f0c1f542d6c25cb8cb76242bdedb',
'total': 74},
{'date': '2021-07-08 05:25:50',
'positives': 35,
'sha256': '0e574fd30e806fe4298b3cbccb8d1089454f42f52892f87554325cb352646049',
'total': 75},
{'date': '2021-07-08 08:53:31',
'positives': 36,
'sha256': '252bf8c685289759b90c1de6f9db345c2cfe62e6f8aad9a7f44dfb3c8508487a',
'total': 74},
{'date': '2021-07-08 10:29:28',
'positives': 36,
'sha256': 'a506c6cf25de202e6b2bf60fe0236911a6ff8aa33f12a78edad9165ab0851caf',
'total': 75},
{'date': '2021-07-08 08:53:29',
'positives': 38,
'sha256': '139f393594aabb20543543bd7d3192422b886f58e04a910637b41f14d0cad375',
'total': 75},
{'date': '2021-03-02 07:13:18',
'positives': 33,
'sha256': 'feb0a0f5ffba9d7b7d6878a8890a6d67d3f8ef6106e4e88719a63c3351e46a06',
'total': 76},
{'date': '2021-02-08 02:39:20',
'positives': 18,
'sha256': '230e2a06df2cd7574ee15cb13714d77182f28d50f83a6ed58af39f1966177769',
'total': 76},
{'date': '2020-10-31 16:15:20',
'positives': 30,
'sha256': '36bf7b2ab7968880ccc696927c03167b6056e73043fd97a33d2468383a5bafce',
'total': 76},
{'date': '2020-10-19 16:08:06',
'positives': 28,
'sha256': '1aaf7bc48ff75e870db4fe6ec0b3ed9d99876d7e2fb3d5c4613cca92bbb95e1b',
'total': 75},
{'date': '2020-09-09 11:54:11',
'positives': 24,
'sha256': '9750b3be953bd31322dd173ca18f29e5997029b28b24fbeb5fec7ebb1974cb09',
'total': 73},
{'date': '2020-09-06 07:41:39',
'positives': 23,
'sha256': 'c0ab7d1caabdd090b2399cd1193d2cc2334218d3f3f0d3164b61b6014fd308e9',
'total': 73},
{'date': '2020-09-09 11:30:10',
'positives': 1,
'sha256': '767fc7ae032403bce2dbcefa525cf1a9fd02bbb185e45aa88d9bc28a5f22a2b6',
'total': 73},
{'date': '2020-07-22 02:02:29',
'positives': 26,
'sha256': '132df864f6750d29bf9f762b298f377c13b899aa8d07c0a6bda58adcffd0d6f7',
'total': 76},
{'date': '2020-08-20 06:57:04',
'positives': 30,
'sha256': '2c40b76408d59f906f60db97ea36503bfc59aed22a154f5d564d8449c300594f',
'total': 75}],
'detected_referrer_samples': [{'date': '2020-09-09 11:30:10',
'positives': 1,
'sha256': '767fc7ae032403bce2dbcefa525cf1a9fd02bbb185e45aa88d9bc28a5f22a2b6',
'total': 73}],
'detected_urls': [{'positives': 8,
'scan_date': '2021-12-22 08:31:13',
'total': 93,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/'},
{'positives': 8,
'scan_date': '2021-12-21 23:31:02',
'total': 93,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/stock.jpg'},
{'positives': 6,
'scan_date': '2021-12-20 16:27:00',
'total': 93,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/'},
{'positives': 4,
'scan_date': '2021-12-20 09:56:05',
'total': 93,
'url': 'http://dl1.chimaera.cc/'},
{'positives': 4,
'scan_date': '2021-12-17 06:34:35',
'total': 93,
'url': 'http://85.214.149.236/'},
{'positives': 7,
'scan_date': '2021-12-10 03:20:28',
'total': 93,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/sugarlogic/.../tntb/containerpwn'},
{'positives': 6,
'scan_date': '2021-12-09 12:07:40',
'total': 93,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/SugarLogic/.../TNTb/ContainerPwn'},
{'positives': 6,
'scan_date': '2021-11-22 08:57:10',
'total': 93,
'url': 'http://85.214.149.236:443/sugarcrm/'},
{'positives': 7,
'scan_date': '2021-11-15 18:18:07',
'total': 93,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/.../masscan/x86_64'},
{'positives': 7,
'scan_date': '2021-11-10 02:32:01',
'total': 93,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/.../jq/%D1%8786_64'},
{'positives': 7,
'scan_date': '2021-11-09 21:58:51',
'total': 93,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/.../N/NVIDIA-Linux-x86_64-470.57.02.run'},
{'positives': 10,
'scan_date': '2021-11-08 04:50:02',
'total': 93,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/.../TNTb/irc.chimaera.cc'},
{'positives': 7,
'scan_date': '2021-11-06 10:52:20',
'total': 93,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/SugarLogic/.../TNTb/irc.chimaera.cc'},
{'positives': 4,
'scan_date': '2021-11-02 15:58:50',
'total': 92,
'url': 'tcp://85.214.149.236:443/'},
{'positives': 7,
'scan_date': '2021-11-02 15:51:08',
'total': 92,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/SugarLogic/win/xmrig-6.13.1-msvc-win64.zip'},
{'positives': 7,
'scan_date': '2021-10-22 22:31:44',
'total': 91,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/.../pnscan/x86_64'},
{'positives': 6,
'scan_date': '2021-10-22 16:30:39',
'total': 91,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/.../xmr/kuben3/aarch64.tar.gz'},
{'positives': 6,
'scan_date': '2021-10-12 01:45:21',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm'},
{'positives': 6,
'scan_date': '2021-10-06 17:06:46',
'total': 90,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/sugarlogic/win/xmrig-6.13.1-msvc-win64.zip'},
{'positives': 10,
'scan_date': '2021-10-04 13:10:05',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm/themes'},
{'positives': 9,
'scan_date': '2021-10-04 12:48:23',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm/themes/'},
{'positives': 8,
'scan_date': '2021-09-28 16:06:57',
'total': 89,
'url': 'http://dl1.chimaera.cc/sugarcrm/themes/default/images/sugarlogic/.../pnscan/x86_64'},
{'positives': 9,
'scan_date': '2021-09-28 06:27:21',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/.../docker/x86_64.tgz'},
{'positives': 11,
'scan_date': '2021-09-20 06:45:49',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/sugarlogic/.../tntb/x86_64'},
{'positives': 6,
'scan_date': '2021-09-18 15:59:59',
'total': 89,
'url': 'https://dl1.chimaera.cc/'},
{'positives': 7,
'scan_date': '2021-09-18 03:57:09',
'total': 89,
'url': 'http://dl1.chimaera.cc:443/sugarcrm/themes/default/images/SugarLogic/.../pnscan/x86_64'},
{'positives': 10,
'scan_date': '2021-09-17 22:17:09',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/.../curl/x86_64'},
{'positives': 9,
'scan_date': '2021-09-17 13:18:04',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/.../TNTb/x86_64'},
{'positives': 9,
'scan_date': '2021-09-15 15:52:06',
'total': 90,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/sugarlogic/win/init.bat'},
{'positives': 9,
'scan_date': '2021-09-10 11:37:03',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/win/init.bat'},
{'positives': 10,
'scan_date': '2021-09-09 13:30:06',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/.../TNTb'},
{'positives': 9,
'scan_date': '2021-09-09 13:11:28',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/.../TNTb/'},
{'positives': 10,
'scan_date': '2021-09-09 08:52:51',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/win'},
{'positives': 9,
'scan_date': '2021-09-07 15:30:52',
'total': 90,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/sugarlogic/.../xmr/sx/xmrig.so'},
{'positives': 10,
'scan_date': '2021-09-03 15:10:07',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/.../xmr/kuben3'},
{'positives': 9,
'scan_date': '2021-09-03 14:47:44',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/.../xmr/kuben3/'},
{'positives': 9,
'scan_date': '2021-09-03 14:45:43',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/.../xmr/sx/xmrig-6.13.1-linux-static-x64.tar.gz'},
{'positives': 9,
'scan_date': '2021-09-03 14:38:11',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/.../xmr/sx/3.sh'},
{'positives': 12,
'scan_date': '2021-08-27 19:43:46',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/bioset.jpg'},
{'positives': 9,
'scan_date': '2021-08-26 15:28:18',
'total': 90,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/sugarlogic/.../tntb/irc.chimaera.cc'},
{'positives': 9,
'scan_date': '2021-08-25 15:39:16',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/.../xmr/sx/xmrig.tar.gz'},
{'positives': 9,
'scan_date': '2021-08-23 11:38:06',
'total': 90,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/SugarLogic/.../xmr/x86_64'},
{'positives': 10,
'scan_date': '2021-08-23 02:56:48',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/.../TNTb/ContainerPwn'},
{'positives': 9,
'scan_date': '2021-08-22 02:17:32',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/.../xmr/x86_64.tar.gz'},
{'positives': 4,
'scan_date': '2021-08-21 23:59:21',
'total': 89,
'url': 'http://dl1.chimaera.cc:443/sugarcrm/themes/default/images/SugarLogic/.../masscan/x86_64'},
{'positives': 9,
'scan_date': '2021-08-18 15:35:11',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/sugarlogic/.../tntb/containerpwn'},
{'positives': 3,
'scan_date': '2021-08-13 15:27:24',
'total': 89,
'url': 'http://dl1.chimaera.cc:443/sugarcrm/themes/default/images/SugarLogic/...'},
{'positives': 13,
'scan_date': '2021-08-13 14:53:47',
'total': 89,
'url': 'http://dockerupdate.anondns.net/sugarcrm/themes/default/images/nk.jpg'},
{'positives': 12,
'scan_date': '2021-08-01 03:21:20',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/tshd.jpg'},
{'positives': 9,
'scan_date': '2021-07-31 20:54:57',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/kube.jpg'},
{'positives': 10,
'scan_date': '2021-07-30 09:13:40',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/default.jpg'},
{'positives': 9,
'scan_date': '2021-07-29 05:22:56',
'total': 90,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/.../zgrab/x86_64'},
{'positives': 9,
'scan_date': '2021-06-28 02:32:40',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/mod.jpg'},
{'positives': 12,
'scan_date': '2021-06-23 12:00:19',
'total': 88,
'url': 'http://dockerupdate.anondns.net/'},
{'positives': 12,
'scan_date': '2021-06-21 01:57:07',
'total': 88,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/'},
{'positives': 7,
'scan_date': '2021-06-16 08:08:57',
'total': 89,
'url': 'http://85.214.149.236:443/'},
{'positives': 8,
'scan_date': '2021-06-09 03:40:07',
'total': 89,
'url': 'https://85.214.149.236/sugarcrm/themes/default/images'},
{'positives': 7,
'scan_date': '2021-06-09 03:18:37',
'total': 89,
'url': 'https://85.214.149.236/sugarcrm/themes/default/images/'},
{'positives': 8,
'scan_date': '2021-06-08 15:50:06',
'total': 89,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images'},
{'positives': 6,
'scan_date': '2021-04-21 00:07:34',
'total': 87,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/stock.jpg'},
{'positives': 5,
'scan_date': '2021-04-01 13:42:58',
'total': 85,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/mod.jpg'},
{'positives': 9,
'scan_date': '2021-03-19 18:12:09',
'total': 85,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/Carray.jpg'},
{'positives': 6,
'scan_date': '2021-01-12 10:34:27',
'total': 83,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/kube.jpg'},
{'positives': 10,
'scan_date': '2020-12-28 02:17:00',
'total': 83,
'url': 'http://dockerupdate.anondns.net/sugarcrm/themes/default/images/'},
{'positives': 6,
'scan_date': '2020-12-19 10:34:37',
'total': 83,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images/default.jpg'},
{'positives': 6,
'scan_date': '2020-11-12 16:50:51',
'total': 81,
'url': 'http://85.214.149.236/sugarcrm/themes'},
{'positives': 14,
'scan_date': '2020-11-10 11:01:42',
'total': 81,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/mos.jpg'},
{'positives': 14,
'scan_date': '2020-11-08 15:00:49',
'total': 81,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/nk.jpg'},
{'positives': 6,
'scan_date': '2020-11-04 19:21:25',
'total': 81,
'url': 'http://85.214.149.236/sugarcrm/themes/default'},
{'positives': 6,
'scan_date': '2020-10-29 00:55:07',
'total': 81,
'url': 'http://85.214.149.236/sugarcrm/themes/default/images'},
{'positives': 12,
'scan_date': '2020-09-28 03:26:34',
'total': 80,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm'},
{'positives': 9,
'scan_date': '2020-09-28 03:06:19',
'total': 80,
'url': 'http://85.214.149.236/sugarcrm/.../dns'},
{'positives': 11,
'scan_date': '2020-09-24 14:01:08',
'total': 80,
'url': 'http://dockerupdate.anondns.net/sugarcrm/themes/default/images'},
{'positives': 12,
'scan_date': '2020-09-21 17:20:19',
'total': 80,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/carray.jpg'},
{'positives': 6,
'scan_date': '2020-09-20 16:04:57',
'total': 80,
'url': 'http://85.214.149.236/sugarcrm'},
{'positives': 9,
'scan_date': '2020-09-17 17:36:08',
'total': 80,
'url': 'http://85.214.149.236:443/sugarcrm/banner.php'},
{'positives': 11,
'scan_date': '2020-09-10 07:55:21',
'total': 80,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/'},
{'positives': 10,
'scan_date': '2020-09-09 12:06:14',
'total': 80,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/Carray.jpg/'},
{'positives': 4,
'scan_date': '2020-09-09 12:05:12',
'total': 80,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/bioset.jpg/'},
{'positives': 11,
'scan_date': '2020-09-09 11:59:35',
'total': 80,
'url': 'http://dockerupdate.anondns.net/sugarcrm/themes/default/images/mos.jpg'},
{'positives': 5,
'scan_date': '2020-09-09 11:48:55',
'total': 80,
'url': 'http://85.214.149.236:443/sugarcrm/.../run'},
{'positives': 4,
'scan_date': '2020-09-09 11:44:28',
'total': 80,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/mod.js'},
{'positives': 6,
'scan_date': '2020-09-09 11:35:26',
'total': 80,
'url': 'http://85.214.149.236:443/sugarcrm/.../cron.sh'},
{'positives': 5,
'scan_date': '2020-09-05 03:44:35',
'total': 80,
'url': 'http://85.214.149.236/sugarcrm/...'},
{'positives': 8,
'scan_date': '2020-09-02 06:09:23',
'total': 80,
'url': 'https://dockerupdate.anondns.net/'},
{'positives': 6,
'scan_date': '2020-09-01 17:37:50',
'total': 79,
'url': 'http://85.214.149.236:443/sugarcrm/.../dns'},
{'positives': 1,
'scan_date': '2020-08-28 08:15:47',
'total': 78,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/mod.js\"'},
{'positives': 2,
'scan_date': '2020-08-27 13:22:06',
'total': 78,
'url': 'http://85.214.149.236:443/sugarcrm/themes/default/images/zgrab.jpg'},
{'positives': 7,
'scan_date': '2020-08-25 14:52:00',
'total': 79,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/portjoe.jpg'},
{'positives': 7,
'scan_date': '2020-08-25 07:02:55',
'total': 79,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images'},
{'positives': 4,
'scan_date': '2020-08-24 07:34:44',
'total': 79,
'url': 'http://dockerupdate.anondns.net:443/sugarcrm/themes/default/images/01.jpg'}],
'resolutions': [{'hostname': 'dl1.chimaera.cc',
'last_resolved': '2021-08-13 07:43:54'},
{'hostname': 'dockerupdate.anondns.net',
'last_resolved': '2020-08-14 18:56:08'},
{'hostname': 'h2381205.stratoserver.net',
'last_resolved': '2020-08-06 12:19:57'}],
'response_code': 1,
'undetected_communicating_samples': [{'date': '2021-11-17 10:12:13',
'positives': 0,
'sha256': 'a3b160e7c58fd879ce9eac6732adfef16fb554a1723ac86e2b31eb2b1d0fbef8',
'total': 71},
{'date': '2021-09-10 17:39:35',
'positives': 0,
'sha256': '48f92bdc4c039437ba77e6c6a74bb0d4b747aa94fb815223ea6d735d04fcb733',
'total': 72},
{'date': '2021-08-21 20:20:58',
'positives': 0,
'sha256': '0085bf33d4e4e051a15a1bd70636055d709aeef79025080afc7a8148ece55339',
'total': 73},
{'date': '2021-08-19 21:32:51',
'positives': 0,
'sha256': '0dab485f5eacbbaa62c2dd5385a67becf2c352f2ebedd2b5184ab4fba89d8f19',
'total': 73},
{'date': '2021-06-24 10:15:37',
'positives': 0,
'sha256': '7149b53e4a3f9de2a7d47190af64f8b609618ed09f8440a64175049a90336775',
'total': 75},
{'date': '2021-06-09 10:51:49',
'positives': 0,
'sha256': '45cc4f38340bf1d4bb0010114ccf03112d14dee7815aa797d20854605fdca2d2',
'total': 74},
{'date': '2021-06-12 19:00:20',
'positives': 0,
'sha256': '020531aef7e069ee6e384f2fe9c49db9d99292d559c72da95276c2788b17d386',
'total': 74},
{'date': '2020-12-10 15:39:02',
'positives': 0,
'sha256': 'd9c46904d5bb808f2f0c28e819a31703f5155c4df66c4c4669f5d9e81f25dc66',
'total': 75},
{'date': '2020-08-28 07:36:29',
'positives': 0,
'sha256': 'd333c3cfb8b9ad1da5ee50f96a55dfbe70196f05fd88b5f04e925e32305cfff8',
'total': 73},
{'date': '2020-08-28 07:40:32',
'positives': 0,
'sha256': '18c178fb224ec17718e5f70a92041e721d9e380e70063cc4bfe3f61d6feb72d9',
'total': 73},
{'date': '2020-08-28 07:35:10',
'positives': 0,
'sha256': 'a5d14bb053b03e81e58101516c782360fe64d6469852c6aa06fc47c08b30b127',
'total': 73},
{'date': '2020-08-26 22:30:40',
'positives': 0,
'sha256': 'ba16f24e6294e8da28782c1d8e00189950dd4cbbb061ef13d1a4d84305651768',
'total': 73},
{'date': '2020-08-26 14:29:14',
'positives': 0,
'sha256': '1861eee8333dadcfe0d0dc10461f5f82fada8e42db9aa9efba6f258182e9c546',
'total': 73},
{'date': '2020-08-24 07:12:27',
'positives': 0,
'sha256': 'b485e6ccc9cfeb9c2034cebfeaf1bb3b3db0ac9996e5260fc1e95ce852b757c4',
'total': 73}],
'undetected_downloaded_samples': [{'date': '2021-09-09 04:23:12',
'positives': 0,
'sha256': '162c6bdc92693559b937d7ec46d7e93441c1d414d2da823044fcfc57d8f546ce',
'total': 73},
{'date': '2020-09-09 11:44:35',
'positives': 0,
'sha256': 'e8812c8ff47b0542c7ee4d6bdff5bfbfd488a8e363d884074089c54b6ffc9789',
'total': 73},
{'date': '2020-07-16 04:03:02',
'positives': 0,
'sha256': '1474298ed7a5c63ca8098794cd743a276807cca0e678e046160718626bb038f3',
'total': 76}],
'undetected_referrer_samples': [{'date': '2021-12-15 17:04:22',
'positives': 0,
'sha256': 'ab971c2fd88fd5fdc413068143d0a3b0b0ab6b1b4b927a78001c1318299c555e',
'total': 71},
{'date': '2021-09-09 12:12:02',
'positives': 0,
'sha256': '63e44d333b4eb8e0585f8653a66c845f13c98787c9bd2b9c46b0563c8b5d4196',
'total': 70}],
'undetected_urls': [['http://h2381205.stratoserver.net/',
'011bcc2795245bb9fac15c54e0e189b0c6e2f24c42c57fec7cfc654a8bb95106',
0,
80,
'2020-11-02 13:02:39'],
['http://85.214.149.236:443/sugarcrm/.../',
'9ffbd9455f6aa190b4270b0d8bfe2c863c6495b94b0f510169999135476e4ed4',
0,
79,
'2020-07-14 10:52:05']],
'verbose_msg': 'IP address in dataset'}
\n", " MSTICPy GeoIP Providers\n", "
\n", "