http://thirtvu13sb.top/v1/upload.php

thirtvu13sb.top(185.244.181.140)
185.244.181.140 - mailcious

ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET INFO HTTP Request to a *.top domain

107.173.4.16 - mailcious

89.197.154.116 - mailcious

SURICATA Applayer Wrong direction first Data

http://104.168.7.25/450/taskhostw.exe

104.168.7.25 - mailcious

ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

sevtvx17sb.top()

ET DNS Query to a *.top domain - Likely Hostile

pool.hashvault.pro(131.153.76.130) - mailcious
131.153.76.130 - mailcious

ET POLICY Cryptocurrency Miner Checkin
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)

pool.hashvault.pro(131.153.76.130) - mailcious
131.153.76.130 - mailcious

ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
ET POLICY Cryptocurrency Miner Checkin

pool.hashvault.pro(125.253.92.50) - mailcious
bitbucket.org(104.192.140.25) - malware
104.192.140.26 - mailcious
131.153.76.130 - mailcious

ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
ET POLICY Cryptocurrency Miner Checkin
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)