http://94.142.138.131/api/firegate.php - rule_id: 32650
http://91.92.243.151/api/tracemap.php - rule_id: 37889
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=VneSnp3_ukQr2DpIFzFJmPqn.exe&platform=0009&osver=5&isServer=0
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://apps.identrust.com/roots/dstrootcax3.p7c
http://lakuiksong.known.co.ke/netTimer.exe - rule_id: 37358
http://185.172.128.69/latestumma.exe - rule_id: 38123
https://fdjbgkhjrpfvsdf.online/setup294.exe - rule_id: 37897
https://sun6-22.userapi.com/c909228/u26060933/docs/d49/128817370068/frankurt.bmp?extra=S-7AocaxsIbLkK-ELoZtcguPmTMKNeGVULVejSj8lKOn4iE-SffQhWawQvouXtHuFn4V30tV4Vyf2KFZ982OpZrWgbptKJF--WytR4WsqWN9BMV4Qn2o60SPWY9OAPvZxXlmSACiGQB9-aWJ
https://sun6-20.userapi.com/c237031/u26060933/docs/d15/cc14cf618ad2/32ssh7832haf.bmp?extra=fwty-u7t3kuVDKn2Ab1i7boHK4AyOko_2OhckURSgZjMwMr1LMRzcDeu6ldvQCwfDuTH4EEUK6o17LKRsfTQtZt7FslDGR2y6GbdZCCcOp_WNzQ9CENa5D8--pR4RgBxxVEvfsknWSZfulv4
https://api.myip.com/
https://vk.com/doc26060933_667439205?hash=9u0pp57etRglLIKfkYwZcH44T9cOpyz0LWapsbTF1Bg&dl=z3Yi2TZu3wznuaMj0bEuIRV5ZXaFnSzqV3ZZNSu9aWD&api=1&no_preview=1#pers
https://vk.com/doc493219498_672836373?hash=M7A4hgYlu29jFClj8BntVZXGQNYZUrmGk5Xo8ZtSs3c&dl=vo1qv3UDs2s1kmfM0D1UlsXrUhketlWT0zHzAFUqZzz&api=1&no_preview=1#redcl
https://iplis.ru/1cN8u7.mp3
https://sun6-20.userapi.com/c909218/u26060933/docs/d54/6e7fc67a6ccd/asca1ex.bmp?extra=o0dbnej6BqzEu2z5v-Mxe5oLOHfcHc8vUDbMSePw_8F_JPn8HPD_NLCakc5EiDyrOG0dJBsKL6WuWl8WcnQT6t_9LwNBS5067YCL7hMG9GPzh8bxUp8FvU7aJ65cY8FynND1rYBTFV4uc5jy
https://neuralshit.net/41952c986340dccbd36c6f7751ad8d3c/7725eaa6592c80f8124e769b4e8a07f7.exe
https://psv4.userapi.com/c237131/u26060933/docs/d39/e725e5f13f43/PERSOM-1107.bmp?extra=lM3OqGzYHO-ydtWN8GVm8iBO22fCJG2WhM2K66LXzBICJffrODU--a9Pi-hhT7sttyJddEU9SHHg9SZN_-JOhRN7W2Plh0m9KbP4ZMAMKkWq9tgZOTF670Girpl8yfCoW0v7ugGpJH7nzSwG
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716
https://vk.com/doc26060933_667402082?hash=YceActlCEWNAxzNWlyosqulkJNKFWOXwPC6aoepp51w&dl=4fZA3npX9cldehaLZ4Szl6YhrZWLZOAzHvN5zwGWoWH&api=1&no_preview=1#as
https://sun6-22.userapi.com/c909218/u26060933/docs/d39/2b5c05ade136/PL_Client.bmp?extra=da599MOTGK0smGFDrYCbIOwnAESK93Bdw8XDZy_0vK13817g4Qsr6AWGWEf5TNMs8D67QVgYFb6fgHXsdA6lLB0kHdsNHYl2LuiA4Cchiwv-echSw-1M9pvREF7eyP8RrYMQCeAIgdGcFGmL
https://vk.com/doc26060933_667283095?hash=XbMEOIVwAxvBMVozZrdx5JL01yibEzrk6OUGAeuqigk&dl=aHYtz9hCKP29fWdvsPFNX8NzNDQemO5X8RKctwJXQK0&api=1&no_preview=1#vmr

neuralshit.net(172.67.134.35) - malware
globalwebventure.com(65.109.26.240)
lakuiksong.known.co.ke(146.59.70.14) - malware
fdjbgkhjrpfvsdf.online(104.21.87.5) - malware
learn.microsoft.com(23.40.45.69)
api.myip.com(104.26.9.59)
iplis.ru(104.21.63.150) - mailcious
sun6-22.userapi.com(95.142.206.2) - mailcious
ipinfo.io(34.117.59.81)
iplogger.com(172.67.194.188) - mailcious
sun6-20.userapi.com(95.142.206.0) - mailcious
vk.com(87.240.132.67) - mailcious
octocrabs.com(104.21.21.189) - mailcious
ironhost.io(172.67.193.129)
psv4.userapi.com(87.240.190.76)
95.142.206.0 - mailcious
87.240.137.164 - mailcious
172.67.139.27 - mailcious
172.67.194.188 - mailcious
208.67.104.60 - mailcious
194.33.191.60 - mailcious
23.210.37.172
34.117.59.81
104.21.21.189
104.26.8.59
104.21.6.10 - malware
172.67.147.32
87.240.137.134
185.172.128.69 - malware
194.169.175.235 - mailcious
23.67.53.17
91.92.243.151 - mailcious
65.109.26.240 - mailcious
45.15.156.229 - mailcious
95.142.206.2 - mailcious
194.49.94.72 - malware
194.49.94.77
146.59.70.14 - malware
104.21.57.237 - mailcious
94.142.138.131 - mailcious

ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET INFO TLS Handshake Failure
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)

http://94.142.138.131/api/firegate.php
http://91.92.243.151/api/tracemap.php
http://45.15.156.229/api/tracemap.php
http://94.142.138.131/api/tracemap.php
http://45.15.156.229/api/firegate.php
http://lakuiksong.known.co.ke/netTimer.exe
http://185.172.128.69/latestumma.exe
https://fdjbgkhjrpfvsdf.online/setup294.exe
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe