http://ip-api.com/line

ip-api.com(208.95.112.1)
208.95.112.1

ET POLICY External IP Lookup ip-api.com

http://139.180.207.31:8080/plugin/populationStatistics/work?type=1&ip=175.208.134.150&country=KR
http://www.ukndesw19x.com/lqosko/p18j/curl.exe
http://139.180.207.31:8070/cookie/useStatistics/count?username=customer1
http://www.ukndesw19x.com/lqosko/p18j/cookie-parse.exe

www.ukndesw19x.com(45.77.254.200) - malware
get.geojs.io(104.26.0.100)
139.180.207.31
45.77.254.200 - malware
104.26.1.100

ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP

http://crt.comodoca.com/COMODORSAAddTrustCA.crt
https://api.ipify.org/
https://cdn.discordapp.com/attachments/775608373949235243/783607745068138526/Qeywerd

discord.com(162.159.136.232)
api.ipify.org(23.21.252.4)
crt.comodoca.com(91.199.212.52)
cdn.discordapp.com(162.159.134.233) - malware
91.199.212.52
162.159.130.233 - malware
162.159.128.233
54.225.66.103

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://crt.comodoca.com/COMODORSAAddTrustCA.crt
https://cdn.discordapp.com/attachments/775608373949235243/783377635308601394/Xrwello
https://api.ipify.org/

discord.com(162.159.136.232)
api.ipify.org(23.23.100.164)
crt.comodoca.com(91.199.212.52)
cdn.discordapp.com(162.159.135.233) - malware
91.199.212.52
54.221.253.252
162.159.136.232
162.159.130.233 - malware

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://api.playanext.com/httpapi

relay-9b8a0681.net.anydesk.com(84.17.34.78)
boot-01.net.anydesk.com(49.12.130.237)
api.playanext.com(52.89.164.251)
84.17.34.78
52.40.199.242
88.198.34.103

ET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)

http://47.101.57.72:8001/AIlf
http://47.101.57.72:8001/pixel

47.101.57.72

http://memoria.od.ua/wp-admin/GbLB2/
http://24.231.88.85/0k2eoofk47/
http://helionspharmaceutical.com/wp-admin/Yg/

helionspharmaceutical.com(172.67.189.103) - malware
memoria.od.ua(185.104.45.30) - mailcious
185.104.45.30 - mailcious
104.24.120.146 - malware
24.231.88.85

ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP

http://memoria.od.ua/wp-admin/GbLB2/
http://helionspharmaceutical.com/wp-admin/Yg/
http://24.231.88.85/z4fgh5l/lv1gww7ii/sh5b52ak9qgbj7nsi5/k5qt3r51rboei665f/uh7o7dlj3m/laq17f1k6idubxm/

helionspharmaceutical.com(104.24.121.146) - malware
memoria.od.ua(185.104.45.30) - mailcious
185.104.45.30 - mailcious
24.231.88.85
172.67.189.103

ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP

http://memoria.od.ua/wp-admin/GbLB2/
http://24.231.88.85/mx099cdjvh4mju6/rzkb3row8mhu63wem/
http://helionspharmaceutical.com/wp-admin/Yg/

helionspharmaceutical.com(104.24.121.146) - malware
memoria.od.ua(185.104.45.30) - mailcious
185.104.45.30 - mailcious
24.231.88.85
172.67.189.103

ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP

191.96.184.151