Home » Virus List
Trojan.Win32.Generic
Risk Level 1
 
File Size : 930304 KB
File Type : Portable Executable file
File Name

Delf.exe

MD5

7040dc28ec70b3ce88a9765a92bb254b

SHA1

f9cfd8945603d7af797efddfed31d6144f133237

SHA256

7fb81a56a9210c98ca2ac6220591b067800b2040eb50cc3363

General information:

* File name: C:\Users\vmware\Desktop\malware\Delf.exe

Changes to registry :

* Modifies value "(Default)=C:\windows\svchost.exe "%1" %*" in key HKEY_LOCAL_MACHINE\software\Classes\exefile\shell\open\command
binary data=43003A005C00770069006E0064006F00770073005C0073007600630068006F00730074002E0065007800650020002200250031002200200025002A000000
old value "(Default)="%1" %*"
binary data=2200250031002200200025002A000000
* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\svchost_RASAPI32
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\svchost_RASAPI32
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\svchost_RASAPI32
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\svchost_RASAPI32
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\svchost_RASMANCS
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\svchost_RASMANCS
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\svchost_RASMANCS
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\svchost_RASMANCS
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Deletes Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
* Creates value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "Microsoft=C:\windows\svchost.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
binary data=43003A005C00770069006E0064006F00770073005C0073007600630068006F00730074002E006500780065000000
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Creates value "Version=000003E9" in key HKEY_LOCAL_MACHINE\software\mysoft
* Modifies value "HideFileExt=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
old value empty

Changes to filesystem:

* Modifies file C:\bsa\BSA.EXE
* Modifies file C:\bsa\EXEINFO.EXE
* Modifies file C:\bsa\LANG\Translator.exe
* Modifies file C:\bsa\PEID.EXE
* Creates file (hidden) C:\windows\svchost.exe
* Creates file C:\windows\system32\mail.lst
* Creates file (empty) C:\windows\system32\mailOfSend.lst
* Creates file C:\windows\system32\msnsvr.dll
* Creates file C:\windows\temp\ssshost.exe

Network services:

* Looks for an Internet connection.
* Queries DNS "youda2000.vicp.net".
* Queries DNS "smtp.21cn.com".
* C:\Sandbox\vmware\DefaultBox\drive\C\windows\svchost.exe Connects to "174.128.255.229" on port 80 (TCP - HTTP).
* C:\Sandbox\vmware\DefaultBox\drive\C\windows\svchost.exe Connects to "183.61.185.84" on port 25 (TCP - SMTP).
* Downloads file from "w.c0mo.com/r.htm".
* Downloads file from "www.google.com/adsense/domains/caf.js".
* Downloads file from "d32ffatx74qnju.cloudfront.net/themes/saledefault.css".
* Downloads file from "d32ffatx74qnju.cloudfront.net/themes/assets/style.css".
* Downloads file from "fonts.googleapis.com/css?family=Libre+Baskerville:400,700".
* Downloads file from "fonts.googleapis.com/css?family=Boogaloo".
* Downloads file from "www.parkingcrew.net/scripts/sale_form.js".
* Downloads file from "d32ffatx74qnju.cloudfront.net/themes/cleanPeppermintBlack_4b29b84c/style.css".
* Downloads file from "fonts.gstatic.com/s/librebaskerville/v4/pR0sBQVcY0JZc_ciXjFsK2F7WC2UG4aaA4SZk0HPHJg.eot".
* Downloads file from "fonts.gstatic.com/s/boogaloo/v6/T5vB8h5AY7XmkrpRXqdjXvesZW2xOQ-xsNqO47m55DA.eot".
* Downloads file from "d32ffatx74qnju.cloudfront.net/themes/cleanPeppermintBlack_4b29b84c/images/chalkboard.jpg".
* Downloads file from "d32ffatx74qnju.cloudfront.net/themes/sale/orange.png".
* Downloads file from "d32ffatx74qnju.cloudfront.net/scripts/js3caf.js".
* Downloads file from "www.google-analytics.com/ga.js".
* Downloads file from "w.c0mo.com/track.php?domain=c0mo.com&toggle=browserjs&uid=MTQ2NDI0NzYwMC40NzM5OjQ5NmJjOTEyMjQwMDBhMDVhYjY4ZWFmNDI3ZmU3MjViMTZiMDhlN2Q1ODExMzNiZDNkYTkxY2YzMmQzNzdjYjM6NTc0NmE1MzA3M2I5Ng%3D%3D".
* Downloads file from "www.google-analytics.com/r/__utm.gif?utmwv=5.6.7&utms=1&utmn=2111889620&utmhn=w.c0mo.com&utme=8(Theme*Theme%20Type*Category%20ID*5!domty)9(CleanPeppermintBlack*two*0*5!ascii)11(1)&utmcs=utf-8&utmsr=1596x748&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=-&utmdt=c0mo.com&utmhid=1150002770&utmr=-&utmp=%2Fr.htm&utmht=1464247607567&utmac=UA-48689684-1&utmcc=__utma%3D35451623.66272890.1464247606.1464247606.1464247606.1%3B%2B__utmz%3D35451623.1464247606.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&aip=1&utmjid=885079650&utmredir=1&utmu=qxQAAAAAAAAAAAAAAAAAAAAE~".
* Downloads file from "www.gstatic.com/domainads/tracking/caf.gif?ts=1464247607786&rid=5451888".
* Downloads file from "dp.g.doubleclick.net/static/caf/slave.html".
* Downloads file from "dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?max_radlink_len=40&r=m&fexp=21404&client=dp-teaminternet03_3ph&channel=bucket011%2Cbucket048&hl=hi&adtest=off&type=3&optimize_terms=on&drid=as-drid-2325302772630928&uiopt=false&oe=UTF-8&ie=UTF-8&format=r10%7Cs&adrep=0&num=0&output=caf&domain_name=w.c0mo.com&v=3&allwcallad=1&adext=as1%2Csr1%2Cctc1&bsl=8&u_his=0&u_tz=330&dt=1464247607879&u_w=1596&u_h=748&biw=0&bih=0&psw=0&psh=0&frm=0&uio=uv3cs1ff2sa16fa2sl1sr1cc1-wi666st22sa14lt33-&jsv=13427&rurl=http%3A%2F%2Fw.c0mo.com%2Fr.htm".
* Downloads file from "ajax.googleapis.com/ajax/libs/webfont/1/webfont.js".
* Downloads file from "fonts.googleapis.com/css?family=Libre+Baskerville".
* Downloads file from "w.c0mo.com/track.php?domain=c0mo.com&caf=1&toggle=feed&feed=afc&uid=MTQ2NDI0NzYwMC40NzM5OjQ5NmJjOTEyMjQwMDBhMDVhYjY4ZWFmNDI3ZmU3MjViMTZiMDhlN2Q1ODExMzNiZDNkYTkxY2YzMmQzNzdjYjM6NTc0NmE1MzA3M2I5Ng%3D%3D".
* Downloads file from "w.c0mo.com/track.php?domain=c0mo.com&caf=1&toggle=answercheck&answer=yes&uid=MTQ2NDI0NzYwMC40NzM5OjQ5NmJjOTEyMjQwMDBhMDVhYjY4ZWFmNDI3ZmU3MjViMTZiMDhlN2Q1ODExMzNiZDNkYTkxY2YzMmQzNzdjYjM6NTc0NmE1MzA3M2I5Ng%3D%3D".
* Downloads file from "afs.googleusercontent.com/dp-teaminternet/arr_3faad3.png".
* Downloads file from "w.c0mo.com/favicon.ico".
* Downloads file from "go.microsoft.com/fwlink/?LinkID=121792".
* Downloads file from "windows.microsoft.com/en-US/internet-explorer/products/ie-8/welcome".
* Downloads file from "windows.microsoft.com/en-us/internet-explorer/ie-8-welcome".
* Downloads file from "windows.microsoft.com/scripts/4.2/wol/modernizr.wol.js".
* Downloads file from "res2.windows.microsoft.com/resources/4.2/wol/shared/css/windows8_site_ltr.css".
* Downloads file from "res2.windows.microsoft.com/resbox/en/windows/main/15d2470f-0fcf-45e9-bf5b-c943236a61cf_534.css".
* Downloads file from "res1.windows.microsoft.com/siteresources/siteresource.ashx?id=wolNotificationCSS&hash=82512a82d6c2cb2120298514a390b3a6f2023c70e80c6401d351bc5f357b0368&us=WOLWebUrl&var=LTR".
* Downloads file from "www.bing.com/favicon.ico".
* Downloads file from "js.k0102.com/go.asp".
* Downloads file from "res2.windows.microsoft.com/resbox/en/windows/main/e64030e7-ad8c-4be8-a45a-b69a2df3caef_13.eot?".
* Downloads file from "res1.windows.microsoft.com/resbox/en/windows/main/93e33485-fea3-4687-a642-2c5dd233522f_12.eot?".
* Downloads file from "res2.windows.microsoft.com/resbox/en/windows/main/736e3781-6a19-4119-b717-e61f0d8982c0_12.eot?".
* Downloads file from "res2.windows.microsoft.com/resbox/en/windows/main/08ce8e54-41ba-4695-9963-a7669022faec_12.eot?".
* Downloads file from "res2.windows.microsoft.com/resbox/en/windows/main/5a7873a1-fd4e-4462-8ab2-32bd729117c6_7.png".
* Downloads file from "ajax.aspnetcdn.com/ajax/4.5.1/1/MicrosoftAjax.js".
* Downloads file from "ajax.aspnetcdn.com/ajax/jQuery/jquery-1.8.3.min.js".
* Downloads file from "windows.microsoft.com/scripts/4.2/wol/wol.common.js".
* Downloads file from "ocsp.omniroot.com/baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACBAcnqkc%3D".
* Downloads file from "js.microsoft.com/library/svy/windows/pre_broker.js".
* Downloads file from "www.google-analytics.com/r/__utm.gif?utmwv=5.6.7&utms=1&utmn=1678327964&utmhn=js.k0102.com&utme=8(Theme*Theme%20Type*Category%20ID*5!domty)9(CleanPeppermintBlack*two*0*5!ascii)11(1)&utmcs=utf-8&utmsr=1596x748&utmvp=388x198&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=-&utmdt=k0102.com&utmhid=673316303&utmr=-&utmp=%2Fgo.asp&utmht=1464247645413&utmac=UA-48689684-1&utmcc=__utma%3D210768270.919903980.1464247645.1464247645.1464247645.1%3B%2B__utmz%3D210768270.1464247645.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&aip=1&utmjid=2032183097&utmredir=1&utmu=qxQAAAAAAAAAAAAAAAAAAAAE~".
* Downloads file from "d32ffatx74qnju.cloudfront.net/scripts/json3.min.js".
* Downloads file from "js.k0102.com/track.php?domain=k0102.com&toggle=browserjs&uid=MTQ2NDI0NzYzOC4yMTU3OjZiMTYzMjNkMGRmYmNjMGQzMWJjN2RlYTViYzU3M2RkZjkyZTU4ZDE4NTU1NzcwMmJjN2E5NzU1YmIyMTA4NjI6NTc0NmE1NTYzNGFmNQ%3D%3D".
* Downloads file from "www.gstatic.com/domainads/tracking/caf.gif?ts=1464247650296&rid=590643".
* Downloads file from "dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?max_radlink_len=40&r=m&fexp=21404&client=dp-teaminternet02_3ph&channel=bucket011%2Cbucket042&hl=hi&adtest=off&type=3&optimize_terms=on&drid=as-drid-2823696925907968&uiopt=false&oe=UTF-8&ie=UTF-8&format=r10%7Cs&adrep=0&num=0&output=caf&domain_name=js.k0102.com&v=3&allwcallad=1&adext=as1%2Csr1%2Cctc1&bsl=8&u_his=0&u_tz=330&dt=1464247650296&u_w=1596&u_h=748&biw=388&bih=198&psw=388&psh=198&frm=0&uio=uv3cs1ff2sa16fa2sl1sr1cc1-wi666st22sa14lt33-&jsv=13427&rurl=http%3A%2F%2Fjs.k0102.com%2Fgo.asp".
* Downloads file from "js.k0102.com/track.php?domain=k0102.com&caf=1&toggle=feed&feed=afc&uid=MTQ2NDI0NzYzOC4yMTU3OjZiMTYzMjNkMGRmYmNjMGQzMWJjN2RlYTViYzU3M2RkZjkyZTU4ZDE4NTU1NzcwMmJjN2E5NzU1YmIyMTA4NjI6NTc0NmE1NTYzNGFmNQ%3D%3D".
* Downloads file from "js.k0102.com/track.php?domain=k0102.com&caf=1&toggle=answercheck&answer=yes&uid=MTQ2NDI0NzYzOC4yMTU3OjZiMTYzMjNkMGRmYmNjMGQzMWJjN2RlYTViYzU3M2RkZjkyZTU4ZDE4NTU1NzcwMmJjN2E5NzU1YmIyMTA4NjI6NTc0NmE1NTYzNGFmNQ%3D%3D".
* Downloads file from "jj.gxgxy.net/html/qb2.html".
* Downloads file from "d32ffatx74qnju.cloudfront.net/themes/sale/sale_simple.png".
* Downloads file from "www.google-analytics.com/r/__utm.gif?utmwv=5.6.7&utms=1&utmn=2108403946&utmhn=jj.gxgxy.net&utme=8(Theme*Theme%20Type*Category%20ID*5!domty)9(CleanPeppermintBlack*two*0*5!ascii)11(1)&utmcs=utf-8&utmsr=1596x748&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=-&utmdt=gxgxy.net&utmhid=388656735&utmr=-&utmp=%2Fhtml%2Fqb2.html&utmht=1464247837765&utmac=UA-48689684-1&utmcc=__utma%3D210745806.660855929.1464247836.1464247836.1464247836.1%3B%2B__utmz%3D210745806.1464247836.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&aip=1&utmjid=1505610952&utmredir=1&utmu=qxQAAAAAAAAAAAAAAAAAAAAE~".
* Downloads file from "jj.gxgxy.net/track.php?domain=gxgxy.net&toggle=browserjs&uid=MTQ2NDI0NzgzNS4yMDk6MWEzNjVlN2NmYWJmN2EyMDM1MGI3MjZlZTc3Y2FjZGM4YjVjNzA5YWRmZWNlMzQwMDU2M2FmMTZhZjhmYmMwYjo1NzQ2YTYxYjMzMDg1".
* Downloads file from "www.gstatic.com/domainads/tracking/caf.gif?ts=1464247838810&rid=1100944".
* Downloads file from "dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?max_radlink_len=40&r=m&fexp=21404&client=dp-teaminternet02_3ph&channel=bucket011%2Cbucket047&hl=hi&adtest=off&type=3&optimize_terms=on&drid=as-drid-2347195947241528&uiopt=false&oe=UTF-8&ie=UTF-8&format=r10%7Cs&adrep=0&num=0&output=caf&domain_name=jj.gxgxy.net&v=3&allwcallad=1&adext=as1%2Csr1%2Cctc1&bsl=8&u_his=0&u_tz=330&dt=1464247838825&u_w=1596&u_h=748&biw=0&bih=0&psw=0&psh=0&frm=0&uio=uv3cs1ff2sa16fa2sl1sr1cc1-wi666st22sa14lt33-&jsv=13427&rurl=http%3A%2F%2Fjj.gxgxy.net%2Fhtml%2Fqb2.html".
* Downloads file from "jj.gxgxy.net/track.php?domain=gxgxy.net&caf=1&toggle=feed&feed=afc&uid=MTQ2NDI0NzgzNS4yMDk6MWEzNjVlN2NmYWJmN2EyMDM1MGI3MjZlZTc3Y2FjZGM4YjVjNzA5YWRmZWNlMzQwMDU2M2FmMTZhZjhmYmMwYjo1NzQ2YTYxYjMzMDg1".
* Downloads file from "jj.gxgxy.net/track.php?domain=gxgxy.net&caf=1&toggle=answercheck&answer=yes&uid=MTQ2NDI0NzgzNS4yMDk6MWEzNjVlN2NmYWJmN2EyMDM1MGI3MjZlZTc3Y2FjZGM4YjVjNzA5YWRmZWNlMzQwMDU2M2FmMTZhZjhmYmMwYjo1NzQ2YTYxYjMzMDg1".
* Downloads file from "jj.gxgxy.net/favicon.ico".
* Downloads file from "jj.gxgxy.net/html/dg2.html".
* Downloads file from "www.google-analytics.com/__utm.gif?utmwv=5.6.7&utms=2&utmn=915075319&utmhn=jj.gxgxy.net&utme=8(Theme*Theme%20Type*Category%20ID*5!domty)9(CleanPeppermintBlack*two*0*5!ascii)11(1)&utmcs=utf-8&utmsr=1596x748&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=-&utmdt=gxgxy.net&utmhid=1839811070&utmr=-&utmp=%2Fhtml%2Fdg2.html&utmht=1464248133603&utmac=UA-48689684-1&utmcc=__utma%3D210745806.660855929.1464247836.1464247836.1464247836.1%3B%2B__utmz%3D210745806.1464247836.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&aip=1&utmjid=&utmu=qxQAAAAAAAAAAAAAAAAAAAAE~".
* Downloads file from "jj.gxgxy.net/track.php?domain=gxgxy.net&toggle=browserjs&uid=MTQ2NDI0ODEzMC45MTQxOmRkODVjNjI0MDQ3ZjlmNzQyNWY3MGQ5NzQzYzJkMGY3YWZjODk3ZGYxMzcyYjVkY2U4OGIzM2JjNGQ1NTI5YjA6NTc0NmE3NDJkZjMxNQ%3D%3D".
* Downloads file from "www.gstatic.com/domainads/tracking/caf.gif?ts=1464248136708&rid=5240133".
* Downloads file from "dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?max_radlink_len=40&r=m&fexp=21404&client=dp-teaminternet02_3ph&channel=bucket011%2Cbucket048&hl=hi&adtest=off&type=3&optimize_terms=on&drid=as-drid-2347195947241528&uiopt=false&oe=UTF-8&ie=UTF-8&format=r10%7Cs&adrep=0&num=0&output=caf&domain_name=jj.gxgxy.net&v=3&allwcallad=1&adext=as1%2Csr1%2Cctc1&bsl=8&u_his=0&u_tz=330&dt=1464248136739&u_w=1596&u_h=748&biw=0&bih=0&psw=0&psh=0&frm=0&uio=uv3cs1ff2sa16fa2sl1sr1cc1-wi666st22sa14lt33-&jsv=13427&rurl=http%3A%2F%2Fjj.gxgxy.net%2Fhtml%2Fdg2.html".
* Downloads file from "jj.gxgxy.net/track.php?domain=gxgxy.net&caf=1&toggle=feed&feed=afc&uid=MTQ2NDI0ODEzMC45MTQxOmRkODVjNjI0MDQ3ZjlmNzQyNWY3MGQ5NzQzYzJkMGY3YWZjODk3ZGYxMzcyYjVkY2U4OGIzM2JjNGQ1NTI5YjA6NTc0NmE3NDJkZjMxNQ%3D%3D".
* Downloads file from "jj.gxgxy.net/track.php?domain=gxgxy.net&caf=1&toggle=answercheck&answer=yes&uid=MTQ2NDI0ODEzMC45MTQxOmRkODVjNjI0MDQ3ZjlmNzQyNWY3MGQ5NzQzYzJkMGY3YWZjODk3ZGYxMzcyYjVkY2U4OGIzM2JjNGQ1NTI5YjA6NTc0NmE3NDJkZjMxNQ%3D%3D".
* Downloads file from "www.google-analytics.com/__utm.gif?utmwv=5.6.7&utms=3&utmn=1556373926&utmhn=jj.gxgxy.net&utme=8(Theme*Theme%20Type*Category%20ID*5!domty)9(CleanPeppermintBlack*two*0*5!ascii)11(1)&utmcs=utf-8&utmsr=1596x748&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=-&utmdt=gxgxy.net&utmhid=667778495&utmr=-&utmp=%2Fhtml%2Fdg2.html&utmht=1464248146879&utmac=UA-48689684-1&utmcc=__utma%3D210745806.660855929.1464247836.1464247836.1464247836.1%3B%2B__utmz%3D210745806.1464247836.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&aip=1&utmjid=&utmu=qxQAAAAAAAAAAAAAAAAAAAAE~".
* Downloads file from "www.gstatic.com/domainads/tracking/caf.gif?ts=1464248147612&rid=2949206".
* Downloads file from "dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?max_radlink_len=40&r=m&fexp=21404&client=dp-teaminternet02_3ph&channel=bucket011%2Cbucket048&hl=hi&adtest=off&type=3&optimize_terms=on&drid=as-drid-2347195947241528&uiopt=false&oe=UTF-8&ie=UTF-8&format=r10%7Cs&adrep=0&num=0&output=caf&domain_name=jj.gxgxy.net&v=3&allwcallad=1&adext=as1%2Csr1%2Cctc1&bsl=8&u_his=0&u_tz=330&dt=1464248147612&u_w=1596&u_h=748&biw=0&bih=0&psw=0&psh=0&frm=0&uio=uv3cs1ff2sa16fa2sl1sr1cc1-wi666st22sa14lt33-&jsv=13427&rurl=http%3A%2F%2Fjj.gxgxy.net%2Fhtml%2Fdg2.html".
* Downloads file from "youda2000.vicp.net/my/iexplorer.exe".
* Downloads file from "youda2000.vicp.net/my/svchost.dll".
* Downloads file from "youda2000.vicp.net/my/ssshost.exe".

Process/window/string information:

* Gets user name information.
* Gets input locale identifiers.
* Gets computer name.
* Checks for debuggers.
* Uses a pipe for inter-process communication.
* Deletes activity traces.
* Enables privilege SeDebugPrivilege.
* Enables privilege SeIncreaseQuotaPrivilege.
* Enables privilege SeSecurityPrivilege.
* Enables privilege SeTakeOwnershipPrivilege.
* Enables privilege SeSystemProfilePrivilege.
* Enables privilege SeProfileSingleProcessPrivilege.
* Creates process "c:\windows\temp\ssshost.exe, c:\windows\temp\ssshost.exe, .".
* Injects code into process "C:\Sandbox\vmware\DefaultBox\drive\C\windows\temp\ssshost.exe".
* Creates process "null, C:\windows\svchost.exe, null".
* Injects code into process "C:\Sandbox\vmware\DefaultBox\drive\C\windows\svchost.exe".
* Opens a service named "IPHOOK".
* Opens a service named "HOOKTDI1".
* Opens a service named "HOOKSys".
* Opens a service named "HookReg".
* Opens a service named "HookCont".
* Enables privilege SeAuditPrivilege.
* Opens a service named "HOOKAPI".
* Opens a service named "ExpScaner".
* Opens a service named "RfwService".
* Opens a service named "RsCCenter".
* Opens a service named "rasman".
* Opens a service named "RsRavMon".
* Opens a service named "Sens".
* Opens a service named "KVDP".
* Opens a service named "KVSrvXP".
* Opens a service named "KWatchSvc".
* Opens a service named "KWatch3".
* Opens a service named "KPfwSvc".
* Opens a service named "KNetWch".
* Enumerates running processes.
* Creates a mutex "IESQMMUTEX_0_208".
* Creates a mutex "Local\!IETld!Mutex".
* Creates a mutex "Local\HGFSMUTEX".
* Creates a mutex "Global\byc001Ipc2Mutex".
* Enables process privileges.
* Contains string Traces of AutoStart registry key ("Software\Microsoft\Windows NT\CurrentVersion\Winlogon")
* Contains string Traces of AutoStart registry key ("Software\Microsoft\Windows\CurrentVersion\Run")
* Contains string Checked for Symantec security software presence ("IAMAPP.EXE")
* Contains string Checked for Iparmor security software presence ("IPARMOR.EXE")
* Contains string Checked for Kaspersky security software presence ("KAV.EXE")
* Contains string Checked for Kaspersky security software presence ("KAV32.EXE")
* Contains string Checked for Kaspersky security software presence ("KAVPFW.EXE")
* Contains string Checked for Kaspersky security software presence ("KAVSTART.EXE")
* Contains string Checked for Kingsoft security software presence ("KMAILMON.EXE")
* Contains string Checked for Kingsoft security software presence ("KPFWSVC.EXE")
* Contains string Checked for Jiangmin security software presence ("KVCENTER.KXP")
* Contains string Checked for Jiangmin security software presence ("KVFW.EXE")
* Contains string Checked for Jiangmin security software presence ("KVMONXP.KXP")
* Contains string Checked for Jianming security software presence ("KVXP.KXP")
* Contains string Checked for Kingsoft security software presence ("KWATCH.EXE")
* Contains string Checked for Symantec security software presence ("NMAIN.EXE")
* Contains string Checked for SkyNet PFW software presence ("PFW.EXE")
* Contains string Checked for Task Manager software presence ("TASKMGR.EXE")
* Sleeps 3860 seconds.

Additional Information:

How To Remove Delf.exe

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where Delf.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top