95.216.107.53 - mailcious

http://45.91.200.135/api/wp-admin.php
http://103.130.147.211/Files/Channel2.exe
http://45.91.200.135/api/wp-ping.php
https://iplog.co/1S3fd7
https://db-ip.com/demo/home.php?s=
https://api.myip.com/

db-ip.com(104.26.5.15)
api64.ipify.org(173.231.16.77)
iplog.co(172.67.219.22)
api.myip.com(104.26.9.59)
58yongzhe.com() - malware
ipinfo.io(34.117.59.81)
104.26.4.15
172.67.75.163
104.237.62.213
172.67.219.22
45.91.200.135
34.117.59.81
103.130.147.211 - malware

ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO URL Shortener Service Domain in DNS Lookup (iplog .co)
ET INFO Observed URL Shortener Service Domain (iplog .co in TLS SNI)

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

ia600100.us.archive.org(207.241.227.240)
207.241.227.240

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://185.38.142.128/test.sp

185.38.142.128 - malware