https://tsyndicate.com/do2/direct?c=e0SEGUNHhI4YLETQgXNQBJw3DRXSOeMwTA0zNmzMmFGjRYwbMMi0oCEjx8gwYWDgaIFjDBmVZG6U2QhjhgiFY9zMOTiDhg2FYeqMcSjGDpo6OW6IkYODDo0cYnKkwWEHJgycIsSkIeMwRtYwZOwcjJEDJNCHdcQczFHDRsKBcBrqwHHDBg2Fc-AY1DFDIwyoNxSWwUPni16-IkrSwHG3hgwZWHO2mTvDJlQcQcmYOShYqxs3B2XEwBF4hsI2birqkFGyBgyFcFKvBgkDBto6X3WIQEOH4RwdL16EkUPnzZw1ady4gJNmzJwXP8iUseO8zBc6eeCU6QFlCJc6tmXYmCNnTI8lT7KSyRNaBx05dcooJPOmjcPFjWk8jsw84pgw5kDDBTfKMCinMPjaYoYYuojNvINgcME2uCKCUAcJKVRIDM4wdCEGGWrISbYv4LhQQs_ksKMy2EQoYwzZyFKojjrScIgMGmIgwyUycsDBDNvEiIyGMny0LQcfXzSjNBlmymqOMnjarQwzahADBzJsaiEMGsSIgaQyahhjyzLCMKOFMcy4oa2SyhDyp6zSmEsEkGpwITIcPvTpw9eyqiMMh5p4Q4802GAjjBfshAEEFMawD44E0xCDjTJ2AKGJKZIoAoQcJrT0CuXqu2MOEJygAgQbPvxUubssxaNVEKiQg6sy3KAj0QlTyGoMonZbQoqs3pDjC14d-jUrOc5wj7SfFGKjVxHSW4-6L5giS0QRprPjCznKYIOsGGywC4YcbLCNPjneOAhbMtL9wo4y5FjXNrxEOO4gtMoba7d06UhQ2BbqcCMNOlqQIc87ApRhPWjrmOOLhOdYeKL7EDK3rpBuAInihS1e6YaMQZoBBxj6UCAg&s=bc1df301830813ddfb317752c80507d2278888fa733f901a3824dd5dceb2b1f01608770717
https://popcash.net/world/go/243171/541957
https://artoskin.pics/?device_type=PC&src=KO

ps.popcash.net(52.201.162.15) - mailcious
tsyndicate.com(136.243.75.209)
artoskin.pics(185.174.101.143)
popcash.net(104.27.207.92) - mailcious
178.33.77.155
107.23.123.124
136.243.134.97
104.27.206.92

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex

agentttt.ac.ug(79.134.225.40) - mailcious
79.134.225.40 - mailcious

http://crt.comodoca.com/COMODORSAAddTrustCA.crt
https://api.ipify.org/

api.ipify.org(184.73.247.141)
crt.comodoca.com(91.199.212.52)
91.199.212.52
23.21.126.66

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://gfbrice.ac.ug/msvcp140.dll
http://gfbrice.ac.ug/main.php
http://gfbrice.ac.ug/sqlite3.dll
http://gfbrice.ac.ug/mozglue.dll
http://gfbrice.ac.ug/softokn3.dll
http://gfbrice.ac.ug/
http://gfbrice.ac.ug/vcruntime140.dll
http://gfbrice.ac.ug/nss3.dll
http://gfbrice.ac.ug/freebl3.dll
http://darkface.ac.ug/index.php
http://darkface.ac.ug/ac.exe
https://cdn.discordapp.com/attachments/720918485122940978/791284356970577941/Xzor123

gfbrice.ac.ug(45.150.206.10)
taenaia.ac.ug(185.140.53.149) - mailcious
darkface.ac.ug(45.150.206.10) - malware
cdn.discordapp.com(162.159.135.233) - malware
discord.com(162.159.136.232)
agentpapple.ac.ug() - mailcious
162.159.133.233 - malware
45.150.206.10 - malware
162.159.136.232
185.140.53.149 - mailcious

ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE AZORult v3.3 Server Response M2
ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

187.39.237.56 - mailcious
108.4.209.15 - mailcious

http://crt.comodoca.com/COMODORSAAddTrustCA.crt
https://api.ipify.org/

api.ipify.org(184.73.247.141)
crt.comodoca.com(91.199.212.52)
91.199.212.52
23.23.100.164

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

23.23.100.164