kingshakes.linkpc.net(79.134.225.52) - mailcious
79.134.225.52 - suspicious

http://annabphotography.co.uk/wp-includes/WdHO/ - malware
http://173.173.254.105/BHsFILw0Hais/ - mailcious

pipesplumbingltd.com(35.208.159.220) - mailcious
annabphotography.co.uk(35.214.15.47) - mailcious
35.214.15.47 - suspicious
173.173.254.105 - suspicious
102.182.145.130 - suspicious
35.208.159.220 - suspicious

ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150

mail.salujaford.in(199.101.134.84)
freegeoip.app(104.28.5.151)
checkip.dyndns.org(216.146.43.71)
104.28.4.151
131.186.161.70
199.101.134.84 - suspicious

ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SURICATA Applayer Detect protocol only one direction

http://wsdybsskillemmulatorsdevelovercommwsity.ydns.eu/bssdoc/win32.exe - malware
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150

mail.salujaford.in(199.101.134.84)
wsdybsskillemmulatorsdevelovercommwsity.ydns.eu(212.162.149.27) - malware
freegeoip.app(172.67.188.154)
checkip.dyndns.org(131.186.161.70)
162.88.193.70
104.28.5.151
212.162.149.27 - suspicious
199.101.134.84 - suspicious

ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
ET POLICY PE EXE or DLL Windows file download HTTP
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain

http://annabphotography.co.uk/wp-includes/WdHO/ - malware
http://173.173.254.105/az1L5Cssv/lIkSns7VdaFih7TC/FZy7YuB4/5EWdgSxwTpnJFO/ - mailcious

pipesplumbingltd.com(35.208.159.220) - mailcious
annabphotography.co.uk(35.214.15.47) - mailcious
35.214.15.47 - suspicious
173.173.254.105 - suspicious
102.182.145.130 - suspicious
35.208.159.220 - suspicious

ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://annabphotography.co.uk/wp-includes/WdHO/
http://173.173.254.105/VUE9aVj4BJR/14tp40nWJQcBF/ - mailcious

pipesplumbingltd.com(35.208.159.220) - mailcious
annabphotography.co.uk(35.214.15.47) - mailcious
35.214.15.47 - suspicious
173.173.254.105 - suspicious
102.182.145.130 - suspicious
35.208.159.220 - suspicious

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP

http://annabphotography.co.uk/wp-includes/WdHO/
http://shivakunwar.com.np/swift/ZenW4gwhknqJ1/
http://173.173.254.105/O6x6F5c8/ - mailcious

pipesplumbingltd.com(35.208.159.220) - mailcious
annabphotography.co.uk(35.214.15.47) - mailcious
shivakunwar.com.np(72.29.65.177) - mailcious
35.208.159.220 - suspicious
35.214.15.47 - suspicious
72.29.65.177 - suspicious
173.173.254.105 - suspicious
102.182.145.130 - suspicious
117.18.232.200 - suspicious

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP

manweikeji.com(103.82.52.25)
103.82.52.25
117.18.232.200 - suspicious

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex

http://173.173.254.105/QyzclKTk/vs6VYXdD/us3PJya/ - mailcious

173.173.254.105 - suspicious
102.182.145.130 - suspicious

http://70.39.251.94:8080/YENeL7EW77ATz/FS7SCljrP5OI3f/A9SCSlrLLNjEjV/LrdtVxqzvuOTmlAgZXX/llW8KgyVCl7z7LY/SLNACzxafIl9/ - mailcious
http://legalempowermentindia.com/cgi-bin/Qs/ - malware

legalempowermentindia.com(202.66.172.245) - malware
70.39.251.94 - suspicious
190.202.229.74 - suspicious
118.69.11.81 - suspicious
202.66.172.245 - suspicious
117.18.232.200 - suspicious

ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP

http://70.39.251.94:8080/kAisbuN/3zlv3KqUXyayyXG9sr/mG7c1ziXcJYd/o28eWh/ - mailcious
http://uxnew.com/old/89i/ - malware

uxnew.com(156.247.12.150) - malware
70.39.251.94 - suspicious
190.202.229.74 - suspicious
156.247.12.150 - suspicious
118.69.11.81 - suspicious
117.18.232.200 - suspicious

ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP