http://24.178.90.49/h9KbPK1gLEI/XXlZTim7tH/EzXDn/36caQbGNEEY7ZG/ - mailcious
http://eubanks7.com/administrator/ubdDbB/ - malware
http://96.126.101.6:8080/YDl07q2mBXY/901iVTaPm2iAZmfD/ - mailcious

eubanks7.com(69.65.3.162) - mailcious
24.178.90.49 - suspicious
96.126.101.6 - suspicious
69.65.3.162 - suspicious

ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP

http://crt.comodoca.com/COMODORSAAddTrustCA.crt
https://api.ipify.org/

api.ipify.org(54.225.169.28)
crt.comodoca.com(91.199.212.52)
91.199.212.52
50.17.193.91

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://185.172.110.201/dkhh/hades.jpg - malware

google.com(172.217.175.78)
jollymorgan.myq-see.com(198.23.192.204)
185.172.110.201 - suspicious
172.217.24.78
198.23.192.204

ET INFO Observed DNS Query to .myq-see .com DDNS Domain
ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt
ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding

http://167.114.153.111:8080/gtG28g/ynMKzV9XZyPmE/O5cAFtAz9y5UkFddW5U/xxPbLWGI0rztF/Faf9AW0b/ - mailcious

208.180.207.205 - suspicious
167.114.153.111 - suspicious

http://allcannabismeds.com/unraid-map/xcGN/
http://stopinfo.vhostgo.com/info3.html?data=jiafunongye.com%2Fapplication%2FNJ3Ta¬e=%E7%97%85%E6%AF%92%E9%93%BE%E6%8E%A5%E6%9C%AA%E5%88%A0%E9%99%A4&type=1
http://amarteargentina.com.ar/wp-admin/GOAvrV/
http://jiafunongye.com/application/NJ3Ta/
https://acheterdrogues.com/wp-admin/m/

hcareconcepts.com(51.81.109.122)
amarteargentina.com.ar(66.97.40.114) - mailcious
jiafunongye.com(211.149.252.72) - mailcious
allcannabismeds.com(35.208.69.64) - malware
acheterdrogues.com(104.18.49.158)
stopinfo.vhostgo.com(211.149.246.250)
35.208.69.64 - suspicious
78.90.78.210
211.149.246.250
66.97.40.114 - suspicious
172.67.186.189
211.149.252.72 - suspicious
51.81.109.122

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP

http://188.226.165.170:8080/DsKr19C9vITeWAXHSZ/ - mailcious

188.226.165.170 - suspicious
78.90.78.210

http://96.126.101.6:8080/d8HFt/Wi9QIuN1Noi0x0/ - mailcious

96.126.101.6 - suspicious
200.116.145.225 - suspicious

ET CNC Feodo Tracker Reported CnC Server group 13

http://www.chapelknollestates.com/cgi-bin/Xr9RkLq/ - malware
http://96.126.101.6:8080/eTYkX/5Fl9s5owHWh9BD6sP6/ - mailcious
https://rallyemas.com/wp-content/x51/

www.chapelknollestates.com(131.153.44.4) - malware
rallyemas.com(88.99.145.163)
swiftbusinesspay.com(68.66.248.54) - malware
96.126.101.6 - suspicious
88.99.145.163
200.116.145.225 - suspicious
131.153.44.4 - suspicious
68.66.248.54 - suspicious

SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET CNC Feodo Tracker Reported CnC Server group 13
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP

http://autodidactai.com/wp-content/5SF/
http://primaage.com/wp-admin/is/
http://uvibrands.com/QIG/
http://177.107.79.214:8080/xnoNI2qo11i3D/3aNkn/XcAA7MF7AWKL4LMEiEf/9NYV9VrLE/Mb8iWJuY/sncmOVN9EXFxv/
https://cs.vitalero.com/wp-includes/Vf/

cs.vitalero.com(89.221.212.63)
morrobaydrugandgift.com(46.17.175.19)
primaage.com(103.8.25.135)
uvibrands.com(172.67.155.28)
autodidactai.com(104.31.77.164)
177.107.79.214
103.8.25.135 - suspicious
46.17.175.19 - suspicious
104.31.77.164
104.18.48.233
89.221.212.63

SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)