MalAgent.H_15588 is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious ways. Trojans do not replicate or spread to other computers.
Mutexes created
Directory level activity
File level activity- write - file - C:\Documents and Settings\TestMachine\Start Menu\Programs\Startup\x.vbs
Registry level activity- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\GeneralUniqueID
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\GeneralComputerName
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\GeneralVolumeSerialNumber
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Control\PlayBarClrShadow
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Control\PlayBarClrHighlight
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Control\PlayBarClrForeColor
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Control\PlayBarClrBackColor
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Control\PlayBarClrDownload
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Control\PlayBarClrViewed
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Control\PlayBarClrStatic
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersLocal AppData
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersStartup
Library level activity- load - library - KERNEL32
- load - library - COMCTL32.DLL
- load - library - C:\WINDOWS\system32\rpcss.dll
- load - library - CLBCATQ.DLL
- load - library - ole32.dll
- load - library - KERNEL32.DLL
- load - library - C:\WINDOWS\system32\wmpdxm.dll
- load - library - FMPLAYER.DLL
- load - library - HWAUDIO.DLL
- load - library - XACTMP.DLL
- load - library - MSHTML.DLL
- load - library - msdxm.ocx
- load - library - oleaut32.dll
- load - library - C:\WINDOWS\system32\msdxm.ocx
- load - library - COMCTL32.dll
- load - library - SXS.DLL
- load - library - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\60934f65f9c57e0df3fb31f136e658c2.bin
- load - library - kernel32.dll
- load - library - shell32.dll
- load - library - advapi32.dll
- load - library - ntdll.dll
- load - library - psapi.dll
- load - library - ADVAPI32.dll
- load - library - mscoree.dll
- load - library - advapi32
- load - library - ntdll
Process API calls used
- NtCreateSection
- ZwMapViewOfSection
- CreateProcessInternalW
- NtTerminateProcess
- NtFreeVirtualMemory
- NtReadVirtualMemory
- WriteProcessMemory
- WriteProcessMemory
Registry API calls used
- RegOpenKeyExW
- RegQueryValueExW
- RegCloseKey
- NtOpenKey
- RegCreateKeyExW
- RegQueryInfoKeyW
- RegEnumKeyExW
- NtQueryValueKey
- RegSetValueExW
- RegOpenKeyExA
- RegCloseKey
System API calls used
- LdrGetDllHandle
- LdrGetProcedureAddress
- SetWindowsHookExA
- LdrLoadDll
- NtDelayExecution
- NtDelayExecution
Filesystem API calls used
- NtCreateFile
- NtQueryInformationFile
- NtSetInformationFile
- NtReadFile
- NtOpenFile
- CopyFileW
- NtCreateFile
Network
UDP source >> destination
- 192.168.30.254 >> 192.168.30.7
- 192.168.30.7 >> 192.168.30.255
TCP source >> destination
- 192.168.30.7 >> 192.168.30.254
Domains:
DNS Request:
HTTP Request:
DLL related data
Number of DLL's imported = 11
- KERNEL32.dll
- USER32.dll
- GDI32.dll
- comdlg32.dll
- WINSPOOL.DRV
- ADVAPI32.dll
- COMCTL32.dll
- oledlg.dll
- ole32.dll
- OLEPRO32.DLL
- OLEAUT32.dll
|
