http://188.34.200.103/softokn3.dll
http://188.34.200.103/msvcp140.dll
http://188.34.200.103/903 - rule_id: 4371
http://188.34.200.103/freebl3.dll
http://188.34.200.103/nss3.dll
http://188.34.200.103/ - rule_id: 4372
http://188.34.200.103/vcruntime140.dll
http://u1452023.cp.regruhosting.ru/PE/steammaa.dll - rule_id: 4381
http://188.34.200.103/mozglue.dll
https://eduarroma.tumblr.com/ - rule_id: 4373

eduarroma.tumblr.com(74.114.154.18) - mailcious
u1452023.cp.regruhosting.ru(31.31.198.230) - malware
81.16.141.221 - malware
74.114.154.18 - mailcious
31.31.198.230 - malware
188.34.200.103 - mailcious

ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Dotted Quad Host DLL Request
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Vidar/Arkei Stealer Client Data Upload
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

http://188.34.200.103/903
http://188.34.200.103/
http://u1452023.cp.regruhosting.ru/PE/steammaa.dll
https://eduarroma.tumblr.com/

ujzYUCxeWirjpFYgcWLYZFegxKw.ujzYUCxeWirjpFYgcWLYZFegxKw()

http://brokenislegion.tk/BN1/fre.php

brokenislegion.tk()

ET DNS Query to a .tk domain - Likely Hostile

http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
https://cdn.discordapp.com/attachments/879335227095416884/879356613826314250/soul3ss.exe
https://api.ip.sb/geoip

ocsp.digicert.com(117.18.237.29)
cdn.discordapp.com(162.159.135.233) - malware
api.ip.sb(104.26.13.31)
188.130.139.12
162.159.133.233 - malware
172.67.75.172 - mailcious
117.18.237.29

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

Securedbag2021-48502.portmap.host(193.161.193.99)
193.161.193.99 - mailcious

ET POLICY DNS Query to a Reverse Proxy Service Observed

http://s-bins.duckdns.org/Remcos_S_ttbtMhtE31.bin

s-wave.duckdns.org(23.146.242.67)
s-bins.duckdns.org(23.146.242.94)
23.146.242.67
23.146.242.94 - malware

ET INFO DYNAMIC_DNS Query to *.duckdns. Domain

193.161.193.99 - mailcious