SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure

176.123.3.222
185.97.32.34
192.46.225.58
193.23.244.244 - mailcious
86.59.21.38 - mailcious
128.31.0.39 - mailcious
116.12.180.237
199.58.81.140 - mailcious
192.121.44.26
89.163.164.202
104.149.139.42
87.151.147.113
131.188.40.189 - mailcious
154.35.175.225 - mailcious

ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 278
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 144
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 307
ET POLICY TLS possible TOR SSL traffic
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 287
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 149
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 139
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 741

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure

129.159.151.146 - malware

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure

ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://47.104.173.216:8081/server.txt
http://47.104.173.216:8081/STHealthUpdate.exe

47.104.173.216 - malware

ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

camo.githubusercontent.com(185.199.109.133)
fonts.googleapis.com(142.250.196.106)
widget.uservoice.com(104.17.27.92)
www.google-analytics.com(142.250.206.238)
142.251.222.202
104.17.29.92
142.250.204.142
104.17.30.92
142.251.222.206
104.17.27.92
104.17.28.92
104.17.31.92
185.199.108.133 - mailcious
172.217.27.42

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure