Edit tour

Windows Analysis Report
SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe

Overview

General Information

Sample name:	SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe
Analysis ID:	1647491
MD5:	78d9ee13f2d8f27fc5c4b930ea05a78b
SHA1:	6dc44bcb428ff9787be8eaf53649d5015b874056
SHA256:	bd05dd62de07b5a82eddaa1edf000ccbe1a839791c3cd43e86ee0576060ff09c
Tags:	exeuser-SecuriteInfoCom

Detection

Score:	2
Range:	0 - 100
Confidence:	60%

Signatures

Creates a DirectInput object (often for capturing keystrokes)

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe (PID: 8640 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe" MD5: 78D9EE13F2D8F27FC5C4B930EA05A78B)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Malware Analysis System Evasion
• Anti Debugging

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe

String found in binary or memory: http://www.gameofmir.comF

Source: SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe, 00000000.00000000.1288173326.0000000000401000.00000020.00000001.01000000.00000003.sdmp

Binary or memory string: DirectDrawCreateEx

memstr_ee13238d-8

Source: SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe, 00000000.00000000.1288654211.00000000008A3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename> vs SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe
Source: SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe	Binary or memory string: OriginalFilename> vs SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe

Source: SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: clean2.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe

String found in binary or memory: /Address family not supported by protocol family

Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe	Section loaded: d3d8.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe	Section loaded: d3dx81ab.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe	Section loaded: d3d8thk.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe

Static file information: File size 4650332 > 1048576

Source: SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe

Static PE information: Raw size of CODE is bigger than: 0x100000 < 0x2f4c00

Source: SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe

Static PE information: section name: JCLDEBUG

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	1 Input Capture	1 System Information Discovery	Remote Services	1 Input Capture	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
http://www.gameofmir.comF	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.gameofmir.comF	SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1647491
Start date and time:	2025-03-24 22:14:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe
Detection:	CLEAN
Classification:	clean2.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 23.204.23.20, 172.202.163.200, 20.99.186.246, 150.171.28.10, 23.57.90.171
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, g.bing.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.738050921010631
TrID:	Win32 Executable (generic) a (10002005/4) 98.29% Inno Setup installer (109748/4) 1.08% InstallShield setup (43055/19) 0.42% Win32 Executable Delphi generic (14689/80) 0.14% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe
File size:	4'650'332 bytes
MD5:	78d9ee13f2d8f27fc5c4b930ea05a78b
SHA1:	6dc44bcb428ff9787be8eaf53649d5015b874056
SHA256:	bd05dd62de07b5a82eddaa1edf000ccbe1a839791c3cd43e86ee0576060ff09c
SHA512:	dcf5061a54695a29dc99b7dd7144ecb52a9b8973bd0e64cee1f613482fe908bb0f0782023d136e255a6ec5fe41d969d5c640e4e6a1dc429f06690139c13a1539
SSDEEP:	49152:hxaaLgO+ksyjz0fsovJWxq4hsP8V0JigTDaf4+Ygm5wR:hg0VoBij0CfHYg
TLSH:	CF268CA5B2418017E1632B385D9783F41828BB291E38699B37E9CF8CCF35698797135F
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	cba729a585a5555b

Static PE Info

General

Entrypoint:	0x6f50fc
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c8cc639128b993317f408dbb4b01f6e5

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
mov ecx, 00000007h
push 00000000h
push 00000000h
dec ecx
jne 00007F6B30D583EBh
push ebx
push esi
push edi
mov eax, 006F488Ch
call 00007F6B30A6A88Dh
xor eax, eax
push ebp
push 006F5A0Bh
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
call 00007F6B30A66574h
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x49e000	0x2d9e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4d4000	0x17400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4a3000	0x30168	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4a2000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x2f4a2c	0x2f4c00	72c7f035c0b8fe6bf732019a33020e8a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x2f6000	0x2c560	0x2c600	0cf51567f30ba3fe8fbf4c137b896240	False	0.7924570862676056	data	7.213959779368069	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0x323000	0x17a3a5	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x49e000	0x2d9e	0x2e00	88a88481ac35551a1a4c19f445dd6099	False	0.36990489130434784	data	5.058136124833297	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x4a1000	0x14	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x4a2000	0x18	0x200	40446b72a2b36c48324315fa31ff06fa	False	0.05078125	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "\212"	0.20544562813451883	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x4a3000	0x30168	0x30200	87b5f1e0a5b9dfb81235de32519850ab	False	0.6577465503246753	data	6.7872546873775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x4d4000	0x17400	0x17400	c4398d220008ba4cc19468f9329fd92f	False	0.2327158938172043	data	5.468524826675786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
JCLDEBUG	0x4ec000	0x75bf4	0x75c00	c614e1fea63ebe65e5bd1e4d6ee26168	False	0.3845085257430998	data	5.6687885897666455	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x4d53d0	0x134	data	English	United States	0.38961038961038963
RT_CURSOR	0x4d5504	0x134	data			0.4642857142857143
RT_CURSOR	0x4d5638	0x134	data			0.4805194805194805
RT_CURSOR	0x4d576c	0x134	data			0.38311688311688313
RT_CURSOR	0x4d58a0	0x134	data			0.36038961038961037
RT_CURSOR	0x4d59d4	0x134	data			0.4090909090909091
RT_CURSOR	0x4d5b08	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_CURSOR	0x4d5c3c	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"			0.38636363636363635
RT_BITMAP	0x4d5d70	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0x4d5f40	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380			0.46487603305785125
RT_BITMAP	0x4d6124	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0x4d62f4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39870689655172414
RT_BITMAP	0x4d64c4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.4245689655172414
RT_BITMAP	0x4d6694	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5021551724137931
RT_BITMAP	0x4d6864	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5064655172413793
RT_BITMAP	0x4d6a34	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0x4d6c04	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5344827586206896
RT_BITMAP	0x4d6dd4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0x4d6fa4	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	Chinese	China	0.4870689655172414
RT_BITMAP	0x4d708c	0x4b8	Device independent bitmap graphic, 12 x 12 x 8, image size 144, resolution 2866 x 2866 px/m	English	United States	0.35596026490066224
RT_BITMAP	0x4d7544	0x4b8	Device independent bitmap graphic, 12 x 12 x 8, image size 144, resolution 2866 x 2866 px/m	English	United States	0.3518211920529801
RT_BITMAP	0x4d79fc	0x4b8	Device independent bitmap graphic, 12 x 12 x 8, image size 144, resolution 2866 x 2866 px/m	English	United States	0.34271523178807944
RT_BITMAP	0x4d7eb4	0x4b8	Device independent bitmap graphic, 12 x 12 x 8, image size 144, resolution 2882 x 2882 px/m	English	United States	0.3609271523178808
RT_BITMAP	0x4d836c	0x4b8	Device independent bitmap graphic, 12 x 12 x 8, image size 144, resolution 2866 x 2866 px/m	English	United States	0.36423841059602646
RT_BITMAP	0x4d8824	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2913 x 2913 px/m	English	United States	0.32741116751269034
RT_BITMAP	0x4d8e4c	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2913 x 2913 px/m	English	United States	0.33756345177664976
RT_BITMAP	0x4d9474	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2898 x 2898 px/m	English	United States	0.30774111675126903
RT_BITMAP	0x4d9a9c	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2913 x 2913 px/m	English	United States	0.39403553299492383
RT_BITMAP	0x4da0c4	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2882 x 2882 px/m	English	United States	0.4346446700507614
RT_BITMAP	0x4da6ec	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2913 x 2913 px/m	English	United States	0.32741116751269034
RT_BITMAP	0x4dad14	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2913 x 2913 px/m	English	United States	0.3483502538071066
RT_BITMAP	0x4db33c	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2898 x 2898 px/m	English	United States	0.30710659898477155
RT_BITMAP	0x4db964	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2913 x 2913 px/m	English	United States	0.33121827411167515
RT_BITMAP	0x4dbf8c	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2898 x 2898 px/m	English	United States	0.30710659898477155
RT_BITMAP	0x4dc5b4	0x98	Device independent bitmap graphic, 9 x 6 x 4, image size 48, 16 important colors			0.5197368421052632
RT_BITMAP	0x4dc64c	0x98	Device independent bitmap graphic, 9 x 6 x 4, image size 48, 16 important colors			0.506578947368421
RT_ICON	0x4dc6e4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	Chinese	China	0.39919354838709675
RT_DIALOG	0x4dc9cc	0x52	data			0.7682926829268293
RT_STRING	0x4dca20	0x78	data			0.65
RT_STRING	0x4dca98	0x28c	data			0.3450920245398773
RT_STRING	0x4dcd24	0x1f8	data			0.37896825396825395
RT_STRING	0x4dcf1c	0x194	AmigaOS bitmap font "i", fc_YSize 2816, 19456 elements, 2nd "i", 3rd			0.4504950495049505
RT_STRING	0x4dd0b0	0x124	StarOffice Gallery theme q, 1795190272 objects, 1st o			0.5273972602739726
RT_STRING	0x4dd1d4	0x128	data			0.48986486486486486
RT_STRING	0x4dd2fc	0x498	data			0.38010204081632654
RT_STRING	0x4dd794	0x3bc	data			0.4194560669456067
RT_STRING	0x4ddb50	0x428	data			0.3674812030075188
RT_STRING	0x4ddf78	0x1dc	data			0.4894957983193277
RT_STRING	0x4de154	0x1ec	data			0.3516260162601626
RT_STRING	0x4de340	0x148	data			0.5548780487804879
RT_STRING	0x4de488	0x2a0	Targa image data - Color 99 x 107 x 32 +68 +111 "z"			0.48214285714285715
RT_STRING	0x4de728	0x2c0	data			0.4715909090909091
RT_STRING	0x4de9e8	0xdc	data			0.5863636363636363
RT_STRING	0x4deac4	0x130	data			0.5493421052631579
RT_STRING	0x4debf4	0x268	data			0.4788961038961039
RT_STRING	0x4dee5c	0x404	data			0.3715953307392996
RT_STRING	0x4df260	0x390	AmigaOS bitmap font "s", fc_YSize 29696, 9472 elements, 2nd "b", 3rd "n"			0.3969298245614035
RT_STRING	0x4df5f0	0x378	data			0.4099099099099099
RT_STRING	0x4df968	0x380	data			0.35379464285714285
RT_STRING	0x4dfce8	0x39c	data			0.40476190476190477
RT_STRING	0x4e0084	0xe4	data			0.5482456140350878
RT_STRING	0x4e0168	0xbc	data			0.5691489361702128
RT_STRING	0x4e0224	0x2f4	data			0.4312169312169312
RT_STRING	0x4e0518	0x430	data			0.33115671641791045
RT_STRING	0x4e0948	0x330	data			0.36519607843137253
RT_STRING	0x4e0c78	0x314	data			0.34390862944162437
RT_RCDATA	0x4e0f8c	0x10	data			1.5
RT_RCDATA	0x4e0f9c	0xce4	data			0.593030303030303
RT_RCDATA	0x4e1c80	0x7461	Delphi compiled form 'TFrmJSYDlg'			0.24106333702547578
RT_RCDATA	0x4e90e4	0x7fc	Delphi compiled form 'TfrmMain'			0.4207436399217221
RT_RCDATA	0x4e98e0	0x3ad	Delphi compiled form 'TFrmProgress'			0.5090329436769394
RT_RCDATA	0x4e9c90	0x12ec	Delphi compiled form 'TRzFrmCustomizeToolbar'			0.2698183319570603
RT_GROUP_CURSOR	0x4eaf7c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x4eaf90	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x4eafa4	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x4eafb8	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x4eafcc	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x4eafe0	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x4eaff4	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x4eb008	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_ICON	0x4eb01c	0x14	data	Chinese	China	1.2
RT_VERSION	0x4eb030	0x314	data	Chinese	China	0.43781725888324874

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCreateKeyExA, RegCloseKey
kernel32.dll	lstrcpyA, lstrcmpA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, UnmapViewOfFile, TryEnterCriticalSection, Sleep, SizeofResource, SetThreadLocale, SetProcessAffinityMask, SetFilePointer, SetFileAttributesA, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReadFile, OutputDebugStringA, OpenProcess, OpenFileMappingA, MultiByteToWideChar, MulDiv, MapViewOfFile, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, IsValidLocale, IsDBCSLeadByte, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalReAlloc, GlobalMemoryStatus, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetUserDefaultLCID, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcessAffinityMask, GetProcAddress, GetPrivateProfileStringA, GetOverlappedResult, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetComputerNameA, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FlushInstructionCache, FindResourceA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DeviceIoControl, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessA, CreateFileMappingA, CreateFileA, CreateEventA, CreateDirectoryA, CompareStringA, CloseHandle
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, TextOutA, StretchDIBits, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionA, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExtTextOutA, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateEnhMetaFileA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CloseEnhMetaFile, BitBlt
user32.dll	CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, SwitchDesktop, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenDesktopA, OpenClipboard, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumDisplaySettingsA, EnumClipboardFormats, EndPaint, EndDeferWindowPos, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DeferWindowPos, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CloseDesktop, CloseClipboard, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, ChangeDisplaySettingsA, CallWindowProcA, CallNextHookEx, BeginPaint, BeginDeferWindowPos, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
ole32.dll	CreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, CLSIDFromProgID, ProgIDFromCLSID, StringFromCLSID, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID
oleaut32.dll	GetErrorInfo, GetActiveObject, SysFreeString
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
wininet.dll	InternetCheckConnectionA, InternetQueryOptionA
shell32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA
wsock32.dll	WSACleanup, WSAStartup, WSAGetLastError, WSACancelAsyncRequest, WSAAsyncGetServByName, WSAAsyncGetHostByName, WSAAsyncSelect, getservbyname, gethostbyname, socket, setsockopt, send, select, recv, ntohs, listen, ioctlsocket, inet_addr, htons, connect, closesocket, bind
d3d8.dll	Direct3DCreate8
D3DX81ab.dll	D3DXCreateTexture, D3DXSaveSurfaceToFileA, D3DXMatrixOrthoOffCenterLH, D3DXMatrixTranslation, D3DXMatrixScaling, D3DXMatrixMultiply

Version Infos

Description	Data
CompanyName	http://www.gameofmir.com
FileDescription	GameOfMir
FileVersion	1.0.0.0
InternalName	GameOfMir
LegalCopyright	GameOfMir
LegalTrademarks
OriginalFilename
ProductName	GameOfMir
ProductVersion	1.0.0.0
Comments
Translation	0x0804 0x03a8

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Chinese	China

• SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe

Click to jump to process

Memory Usage

• SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe

Click to jump to process

Target ID:	0
Start time:	17:15:05
Start date:	24/03/2025
Path:	C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe"
Imagebase:	0x400000
File size:	4'650'332 bytes
MD5 hash:	78D9EE13F2D8F27FC5C4B930EA05A78B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exePID: 8640, Parent PID: 3084

General

File Activities

File Opened

File Attributes Queried

Volume Information Queried

Section Activities

Sections loaded by Windows

Registry Activities

Key Opened

Key Value Queried

Key Value Enumerated

Windows Analysis Report
SecuriteInfo.com.TScope.Trojan.Delf.17124.14393.exe