http://docuserver1.com/ng.txt - rule_id: 2253
http://docuserver1.com/ng.txt
https://www.bing.com/

docuserver1.com(66.45.232.203)
4.tcp.ngrok.io(3.133.207.110)
www.google.com(172.217.26.4)
142.250.204.36
66.45.232.203
3.136.65.236
13.107.21.200

ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
SURICATA Applayer Detect protocol only one direction
ET POLICY DNS Query to a *.ngrok domain (ngrok.io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://docuserver1.com/ng.txt

https://unitious.com/?id=test22-PC_94DE278C3274

unitious.com(157.90.14.145)
157.90.14.145
3.136.65.236

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

157.90.14.145

http://detectportal.firefox.com/success.txt?ipv4

prod.detectportal.prod.cloudops.mozgcp.net(34.107.221.82)
mozilla.org(44.235.246.155)
detectportal.firefox.com(34.107.221.82)
34.107.221.82

http://www.viciousbyjoey.com/rtht/?DhA83=XLov2r9Qqtb3GyK5etqiaouZv1m104bsXMBPWWAkDT7EuCYDlLQBC4ikD2zeJPhQyCqkaxyN&EzuxZr=3fX4qpLxsHG
http://www.londonvisas.com/rtht/?DhA83=9eegBVHKSULmHFVtRIzOCnlW5pbdG9c3aZj2plt2CRhscBe4tE/2q3N2RZI4AAuEsw78P+D3&EzuxZr=3fX4qpLxsHG

www.viciousbyjoey.com(23.227.38.74)
www.londonvisas.com(207.244.67.218)
www.woodlandsuser.com()
23.227.38.74 - mailcious
104.243.45.190

ET MALWARE FormBook CnC Checkin (GET)

http://m.windowsupdatesupport.org/d/procdump.exe

m.windowsupdatesupport.org(89.45.4.101)
93.95.226.238

ET USER_AGENTS Go HTTP Client User-Agent
ET INFO Request for EXE via GO HTTP Client
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Inline HTTP