Agent.REK drops and starts additional malware on the infected system.

When started, Agent.REK drops and starts the following files:

%System%\WinNt32.dll
%System%\drivers\[random name].sys
Note: %System% usually represents C:\Windows\System32.
Note: [random name] represents a randomly generated name of file used by the Trojan during the infection as Oiv23.sys and Tqy10.sys.

The dropped files are recognized as Trojan-Downloader.Win32.Agent.GLH and Trojan-Dropper.Win32.Agent.REK.

This Trojan creates the following records in the registry as a part of its installation:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt32
DLLName = "WinNt32.dll"
StartShell = WLEventStartShell

HKLM\SYSTEM\CurrentControlSet\Services\[random filename]
ImagePath = "%System%\drivers\[random filename]

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\[random filename].sys (default) = Driver

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\[random filename].sys (default) = Driver

After that Trojan-Downloader.Win32.Agent.GLH is trying to connect to the following IP addresses:

208.66.195.15
217.170.77.146
66.232.113.80