http://116.202.183.50/mozglue.dll
http://116.202.183.50/nss3.dll
http://116.202.183.50/vcruntime140.dll
http://116.202.183.50/ - rule_id: 2743
http://116.202.183.50/softokn3.dll
http://astdg.top/nddddhsspen6/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 2546
http://116.202.183.50/msvcp140.dll
http://116.202.183.50/517 - rule_id: 2744
http://116.202.183.50/freebl3.dll
https://sslamlssa1.tumblr.com/ - rule_id: 2745

sslamlssa1.tumblr.com(74.114.154.22) - mailcious
astdg.top(211.170.70.237) - mailcious
api.2ip.ua(77.123.139.190)
securebiz.org(187.212.182.122) - malware
77.123.139.190
115.91.217.231
74.114.154.22 - mailcious
61.36.14.230
116.202.183.50 - mailcious

ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO TLS Handshake Failure
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DLL Request
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET DNS Query to a *.top domain - Likely Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET INFO HTTP Request to a *.top domain
ET MALWARE Vidar/Arkei Stealer Client Data Upload
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

http://116.202.183.50/
http://astdg.top/nddddhsspen6/get.php
http://116.202.183.50/517
https://sslamlssa1.tumblr.com/