Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\RunOnce] 'lmlernesaf' = '%TEMP%\Indkald5\Brob9.vbs'
- brob9.exe
- %TEMP%\indkald5\brob9.exe
- %TEMP%\indkald5\brob9.vbs
- %APPDATA%\remcos\logs.dat
- http://5.###.65.146/remcos_agent_duckdns_3031_ip_4041_yYzvSMGT231.bin
- DNS ASK an#####endz.duckdns.org
- '%TEMP%\indkald5\brob9.exe'