http://annabphotography.co.uk/wp-includes/WdHO/ - malware
http://173.173.254.105/az1L5Cssv/lIkSns7VdaFih7TC/FZy7YuB4/5EWdgSxwTpnJFO/ - mailcious

pipesplumbingltd.com(35.208.159.220) - mailcious
annabphotography.co.uk(35.214.15.47) - mailcious
35.214.15.47 - suspicious
173.173.254.105 - suspicious
102.182.145.130 - suspicious
35.208.159.220 - suspicious

ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://wsdybsskillemmulatorsdevelovercommwsity.ydns.eu/bssdoc/win32.exe - malware
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150

mail.salujaford.in(199.101.134.84)
wsdybsskillemmulatorsdevelovercommwsity.ydns.eu(212.162.149.27) - malware
freegeoip.app(172.67.188.154)
checkip.dyndns.org(131.186.161.70)
162.88.193.70
104.28.5.151
212.162.149.27 - suspicious
199.101.134.84 - suspicious

ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
ET POLICY PE EXE or DLL Windows file download HTTP
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain

http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150

mail.salujaford.in(199.101.134.84)
freegeoip.app(104.28.5.151)
checkip.dyndns.org(216.146.43.71)
104.28.4.151
131.186.161.70
199.101.134.84 - suspicious

ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SURICATA Applayer Detect protocol only one direction

http://annabphotography.co.uk/wp-includes/WdHO/ - malware
http://173.173.254.105/BHsFILw0Hais/ - mailcious

pipesplumbingltd.com(35.208.159.220) - mailcious
annabphotography.co.uk(35.214.15.47) - mailcious
35.214.15.47 - suspicious
173.173.254.105 - suspicious
102.182.145.130 - suspicious
35.208.159.220 - suspicious

ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

kingshakes.linkpc.net(79.134.225.52) - mailcious
79.134.225.52 - suspicious

http://ciuj.ir/donpy/index.php

ciuj.ir(104.237.252.41)
104.237.252.41

ET MALWARE AZORult v3.3 Server Response M3

http://70.39.251.94:8080/rTd1BLeci/ION6jVntQcFEnskr/nVplv25C/H9DfHq1WUDUpB/ - mailcious

118.69.11.81 - suspicious
70.39.251.94 - suspicious
190.202.229.74 - suspicious

http://annabphotography.co.uk/wp-includes/WdHO/ - malware
http://173.173.254.105/r0Om/KGFKgY7MZosFT/3slxGj56vbMpFwujRh/gkj9Bgn0R27BQVoW/GJLHbjjXki/ - mailcious

pipesplumbingltd.com(35.208.159.220) - mailcious
annabphotography.co.uk(35.214.15.47) - mailcious
35.214.15.47 - suspicious
173.173.254.105 - suspicious
102.182.145.130 - suspicious
35.208.159.220 - suspicious

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP

http://70.39.251.94:8080/upYJrV/ - mailcious

118.69.11.81 - suspicious
70.39.251.94 - suspicious
190.202.229.74 - suspicious

bitbucket.org(104.192.141.1) - malware
18.205.93.2 - suspicious
117.18.232.200 - suspicious

ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex

http://magicview.ga/rojas/gate.php

magicview.ga(91.203.193.242) - mailcious
91.203.193.242

ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response

http://annabphotography.co.uk/wp-includes/WdHO/ - malware
http://173.173.254.105/hcVx/OgLyOkmDwCTmM/p2pkqLA15Sm/MDkzk/EN8kGI/ - mailcious

pipesplumbingltd.com(35.208.159.220) - mailcious
annabphotography.co.uk(35.214.15.47) - mailcious
35.214.15.47 - suspicious
173.173.254.105 - suspicious
102.182.145.130 - suspicious
35.208.159.220 - suspicious

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP