http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150

orisinlog.com(104.219.248.45)
freegeoip.app(104.28.4.151)
checkip.dyndns.org(131.186.161.70)
104.28.5.151
104.219.248.45 - suspicious
216.146.43.71

ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

185.239.242.195 - suspicious

http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150

freegeoip.app(104.28.4.151)
baharanvilla.ir(185.165.40.194)
checkip.dyndns.org(131.186.161.70)
131.186.113.70
104.28.5.151
185.165.40.194

ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction

http://151.80.8.30/document1.doc

151.80.8.30

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
ET INFO Dotted Quad Host DOC Request
ET HUNTING Suspicious Request for Doc to IP Address with Terse Headers

http://icanhazip.com/
https://raw.githubusercontent.com/pandalog/nothing/master/john.txt

orisinlog.com(104.219.248.45) - mailcious
icanhazip.com(147.75.47.199)
raw.githubusercontent.com(151.101.192.133) - malware
147.75.47.199
104.219.248.45 - suspicious
151.101.76.133 - suspicious

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
SURICATA Applayer Detect protocol only one direction

http://api.ipify.org/

api.ipify.org(54.235.182.194)
54.243.161.145

ET POLICY External IP Lookup api.ipify.org

http://151.80.8.30/abw.exe

swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu(192.253.246.140) - mailcious
192.253.246.140
151.80.8.30 - suspicious

ET INFO Executable Download from dotted-quad Host
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

hgygbgfazoruthyshbcfzjzkdgbzbdzzsddfxfsa.ydns.eu(151.80.14.230) - mailcious
151.80.14.230 - suspicious
151.80.8.30 - suspicious

ET INFO Executable Download from dotted-quad Host
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE AZORult v3.3 Server Response M3
ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)

http://api.ipify.org/

api.ipify.org(54.204.14.42)
54.243.164.148

ET POLICY External IP Lookup api.ipify.org

swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu(192.253.246.142) - mailcious
192.253.246.142