http://ip.ws.126.net/ipquery
http://config.xihon.cn/res/updateconfig/56/57/72/cfg_updateconfig_use.zip
http://config.xihon.cn/res/pcadconfig/56/57/72/cfg_pcadconfig.zip
http://sd.xihon.cn/log/sendmsg.php
http://pv.sohu.com/cityjson
http://config.xihon.cn/uploads/20201224/df3583758c11c9bf60ac91758222c69a.zip

ip.ws.126.net(59.111.181.52)
pv.sohu.com(175.100.207.230)
config.xihon.cn(120.52.95.234)
sd.xihon.cn(123.56.15.95)
218.12.76.164
175.100.207.230
218.12.76.163
59.111.181.52
123.56.15.95

ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
SURICATA HTTP unable to match response to request

http://tj.77w62.top/tongji.php?os=6.1.7601&userid=miu555&mac=&ver=&xiezai=0&wb=&az=0&uid=

tj.77w62.top(27.124.45.168)
27.124.45.168 - malware

ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain

info.v-pn.co(194.5.98.55)
194.5.98.55

taenaia.ac.ug(185.140.53.149) - mailcious
agentpapple.ac.ug() - mailcious
discord.com(162.159.138.232)
cdn.discordapp.com(162.159.129.233) - malware
185.140.53.149 - mailcious
162.159.138.232
162.159.130.233 - malware

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

malscxa.ac.ug() - mailcious

115.159.154.82 - malware

115.159.154.82 - malware

lowyersolus.nl(185.239.243.112) - malware
185.239.243.112 - malware

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex