http://www.videosdownloader.world/pna/?Qzr=lCkM/WNlHDQhPNNCLgigIn5TsqjRkZBYQe3/3x3aWICa8ZqoM9hoiIzVhwhkLA/ae94goVfc&MJBx=FdCtDF7XaZvxp8w0
http://www.mataangin.net/pna/?Qzr=o/AJFgPg/rbDqSsFRatFNqFF87My87PbRraUcI3XxD6SDEHBVw/9QUHgwqVD98MMlV6r5EQQ&MJBx=FdCtDF7XaZvxp8w0

www.videosdownloader.world(104.31.70.123)
www.mataangin.net(216.58.197.147)
74.125.203.121
104.31.70.123 - suspicious

ET INFO Observed DNS Query to .world TLD
ET INFO HTTP Request to Suspicious *.world Domain

http://www.zekmer.com/glt/?v4=z+jsdghqXIBzHzcwNQBJFFUB20Iq6ajocFUFpR4BfVUNFKQjr26H9Gtmme6BTxiiwmG9c7BY&Hp=V48HzvXX

www.zekmer.com(213.186.33.5)
www.organizationfun.net(109.238.192.244)
109.238.192.244
213.186.33.5 - suspicious

http://75.127.1.211/svch/vbc.exe

75.127.1.211 - suspicious

ET INFO Executable Download from dotted-quad Host
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

http://stopinfo.vhostgo.com/info3.html?data=jiafunongye.com%2Fapplication%2FNJ3Ta¬e=%E7%97%85%E6%AF%92%E9%93%BE%E6%8E%A5%E6%9C%AA%E5%88%A0%E9%99%A4&type=1
http://amarteargentina.com.ar/wp-admin/GOAvrV/ - mailcious
http://188.226.165.170:8080/ujQT3Imbl2G/pDHVVAaZp7lORlJ3Ixy/k51ux/GaQ4KvtL/Q8r6Aadb/sJEcvi/ - mailcious
http://jiafunongye.com/application/NJ3Ta/ - mailcious
https://acheterdrogues.com/wp-admin/m/ - mailcious

acheterdrogues.com(104.18.49.158) - mailcious
jiafunongye.com(211.149.252.72) - mailcious
hcareconcepts.com(51.81.109.122) - malware
stopinfo.vhostgo.com(211.149.246.250)
amarteargentina.com.ar(66.97.40.114) - mailcious
78.90.78.210 - suspicious
211.149.246.250
66.97.40.114 - suspicious
188.226.165.170 - suspicious
104.18.48.158 - suspicious
211.149.252.72 - suspicious
51.81.109.122 - suspicious

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP

http://ip-api.com/line

ip-api.com(208.95.112.1)
208.95.112.1

ET POLICY External IP Lookup ip-api.com

http://188.226.165.170:8080/Pniftk8P/gGs2RmTSCCYKfM5hY/JhHo4KMCwNd9/nFXHL4IifaliN33DzPJ/XnbJi2L/ - mailcious

188.226.165.170 - suspicious
78.90.78.210 - suspicious

http://200.116.145.225:443/HPqWp/r16U55UEr6OBOJQOap/ - mailcious

200.116.145.225 - suspicious

ET CNC Feodo Tracker Reported CnC Server group 13
ET POLICY HTTP traffic on port 443 (POST)

agentpurple.ac.ug()
agentttt.ac.ug(79.134.225.40)
79.134.225.40

http://worm.ws/vnc/1

worm.ws(217.8.117.10) - malware
217.8.117.10 - suspicious

ET DROP Spamhaus DROP Listed Traffic Inbound group 38