Windows Analysis Report
SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Overview

General Information

Sample name:	SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe
Analysis ID:	1428529
MD5:	8248611347661c3ea4f8e27335cd1700
SHA1:	91e8b00f747f551edc43da93586f555cb98bb28d
SHA256:	59f4ae1f38b93b1303c37894f8bce134d2f75e6404bee7509a97b951c824b5bd
Tags:	exe
Infos:

Detection

Score:	19
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Tries to harvest and steal browser information (history, passwords, etc)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Enables security privileges

Found evasive API chain (date check)

Found potential string decryption / allocating functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Uses 32bit PE files

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: H:\Projects\FoneTool\tools\ftinst\build\.build_static_x86_vc14.1_xp\RelWithDebInfo\ftinst.pdb source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00B6D7E0 FindFirstFileA,FindClose,FindNextFileA,FindClose,GetLastError,RemoveDirectoryA,		0_2_00B6D7E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00A48BE0 OpenMutexW,CreateMutexW,WaitForSingleObject,FindFirstFileA,FindClose,DeleteFileA,ReleaseMutex,ReleaseMutex,CloseHandle,CloseHandle,ReleaseMutex,CloseHandle,__Init_thread_footer,GetModuleFileNameA,_strrchr,__Init_thread_footer,		0_2_00A48BE0

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Code function: 0_2_00B9B140 InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetSetOptionA,SetLastError,HttpQueryInfoA,HttpQueryInfoA,HttpQueryInfoA,HttpQueryInfoA,InternetReadFile,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00B9B140

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671497734.0000000002ECD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671776140.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671497734.0000000002ECD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671776140.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/0
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1673595275.0000000002EF8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1673690345.0000000002EF8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671594449.0000000002EF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1673404574.0000000002EF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671555330.0000000002EF7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1673517650.0000000002EF8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1673473687.0000000002EF8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1673595275.0000000002EF8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1673690345.0000000002EF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersh
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671776140.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/jp/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1666212503.0000000002ED3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1666141866.0000000002ED3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1666082767.0000000002ED1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1666212503.0000000002ED3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnl
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1666141866.0000000002ED3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1666082767.0000000002ED1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1666212503.0000000002ED3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnt
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1668867021.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1669578089.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1668867021.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp//ta
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1670920120.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/0
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1670920120.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/4
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1669578089.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/6
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671497734.0000000002ECD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/7
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1669578089.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/9
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1669578089.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/://w
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1670920120.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671497734.0000000002ECD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1669578089.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671776140.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1668867021.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/W
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671497734.0000000002ECD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1670920120.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671497734.0000000002ECD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1669578089.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671776140.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0tr
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1670920120.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671497734.0000000002ECD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/j
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671776140.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1670920120.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671497734.0000000002ECD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671776140.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/9
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1670920120.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671497734.0000000002ECD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671776140.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/of
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1670920120.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671497734.0000000002ECD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1669578089.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671776140.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671497734.0000000002ECD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671776140.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/x
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1676399480.0000000002EF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.monotype.
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1676399480.0000000002EF8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1676519881.0000000002EF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.monotype.4
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1659304789.0000000002EF5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658918288.0000000002EF5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1659190883.0000000002EF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: http://www2.aomeisoftware.com/download/ftl/FoneTool_free.exe
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www2.aomeisoftware.com/download/ftl/FoneTool_free.exe.
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www2.aomeisoftware.com/download/ftl/FoneTool_free.exe7x
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www2.aomeisoftware.com/download/ftl/FoneTool_free.exe?
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www2.aomeisoftware.com/download/ftl/FoneTool_free.exea
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www2.aomeisoftware.com/download/ftl/FoneTool_free.exeha
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www2.aomeisoftware.com/download/ftl/FoneTool_free.exes
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www2.aomeisoftware.com/download/mbackup/configinfo/ft.dat
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: http://www2.aomeisoftware.com/download/mbackup/configinfo/ft.dat)
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: http://www2.aomeisoftware.com/download/mbackup/configinfo/ft.dat)FoneTool.TitleBar.SaleButtonInNotLi
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000E56000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www2.aomeisoftware.com/download/mbackup/setups/FoneTool_free.exe
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www2.aomeisoftware.com/download/mbackup/setups/MBackupper_setup.exe
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www2.aomeisoftware.com/download/mbackup/setups/MBackupper_setup.exehttp://www2.aomeisoftware.
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://a.aomeisoftware.com/api/v2/soft/collect
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://a.aomeisoftware.com/api/v2/soft/collectp
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://b.aomeisoftware.com/api/v2/soft/collect
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://mobile.ubackup.com/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://mobile.ubackup.com/130003
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.aomeitech.com/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.aomeitech.com/101004
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.aomeitech.com/mbackupper/thanks-install.html?ver=onstd
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.aomeitech.com/mbackupper/thanks-install.html?ver=onstdOnSetup.SaveAsExtendedDataonlineme
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/campaign/download-latest-version.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/campaign/download-latest-version.html0y
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/campaign/download-latest-version.htmlup
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/campaign/download-latest-version.htmluz
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/campaign/thanks-install.html?edition=off%s)
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/campaign/thanks-install.html?edition=onFreeo
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/campaign/thanks-install.html?edition=onFreeq
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/campaign/thanks-install.html?edition=onFreetdxU
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000E56000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.fonetool.com/campaign/thanks-install.html?ver=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/campaign/uninstall-completed.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/campaign/uninstall-completed.htmlR~2
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/campaign/uninstall-completed.htmlu
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/campaign/upgrade-now.html?source=
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/campaign/upgrade-now.html?sourc~z
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/de
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/de/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001133000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/de/7
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/de/campaign/download-latest-version.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/de/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/de/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/de/campaign/uninstall-completed.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/de/campaign/uninstall-completed.htmlO
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/de/campaign/upgrade-now.html?source=
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000E56000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.fonetool.com/de/ux-improvement-program.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/ded
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/es
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/es/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/es/campaign/download-latest-version.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/es/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/es/campaign/thanks-install.html?edition=off%sw
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/es/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/es/campaign/thanks-install.html?edition=onFreer
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/es/campaign/uninstall-completed.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/es/campaign/uninstall-completed.html6~
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/es/campaign/upgrade-now.html?source=
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/fo
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/fr
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/fr/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/fr/campaign/download-latest-version.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/fr/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/fr/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/fr/campaign/thanks-install.html?edition=onFreeuy
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/fr/campaign/uninstall-completed.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/fr/campaign/uninstall-completed.htmli~
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/fr/campaign/upgrade-now.html?source=
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000E56000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.fonetool.com/fr/ux-improvement-program.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/it
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/it/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/it/B
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/it/campaign/download-latest-version.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/it/campaign/download-latest-version.htmlV
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/it/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/it/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/it/campaign/thanks-install.html?edition=onFreej
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/it/campaign/uninstall-c
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/it/campaign/uninstall-completed.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/it/campaign/upgrade-now.html?source=
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/jp
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/jp/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/jp/E
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/jp/campaign/download-latest-version.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/jp/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/jp/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/jp/campaign/thanks-install.html?edition=onFreeN
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/jp/campaign/thanks-install.html?edition=onFreey
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/jp/campaign/uninstall-completed.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/jp/campaign/uninstall-completed.htmlH
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/jp/campaign/upgrade-now.html?source=
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/jp/d
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000E56000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.fonetool.com/jp/ux-improvement-program.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/tw
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/tw/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/tw/campaign/download-latest-version.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/tw/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/tw/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/tw/campaign/uninstall-completed.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/tw/campaign/upgrade-now.html?source=
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000E56000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.fonetool.com/tw/ux-improvement-program.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/twO
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/twlf.
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000E56000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/ux-improvement-program.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com4
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.comd
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/FoneTool_free.exe
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/FoneTool_free.exeGa
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/FoneTool_free.exeN
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/FoneTool_free.exeR
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/FoneTool_free.exeZa9
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/FoneTool_free.exeax/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/FoneTool_free.execa
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/FoneTool_free.exer
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/ftonlinefree.ini
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/ftonlinefree.iniEx
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/ftonlinefree.iniJx
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/ftonlinefree.iniUa6
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/ftonlinefree.iniW
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/ftonlinefree.inii
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/ftonlinefree.inij
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/ftonlinefree.inim
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/ftonlinefree.iniub
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000E56000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010AE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/ftonlinesetup.ini
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/ftonlinesetup.inihttps://www2.aomeisoftware.com/download
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www2.aomeisoftware.com/download/mbackup/configinfo/Config/MBUpgrade.json
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/mbackup/configinfo/Config/MBUpgrade.jsonuy
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000E56000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/mbackup/setups/FoneTool_free.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00B0E730	0_2_00B0E730
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00AD1B80	0_2_00AD1B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00B0E020	0_2_00B0E020
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00A59160	0_2_00A59160
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00D112CF	0_2_00D112CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00A6A290	0_2_00A6A290
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00D2321D	0_2_00D2321D
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00B7E360	0_2_00B7E360
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00D0D320	0_2_00D0D320
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00A924D0	0_2_00A924D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00B0B630	0_2_00B0B630
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00BA9600	0_2_00BA9600
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00A6A910	0_2_00A6A910
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00A7E940	0_2_00A7E940
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00B27A00	0_2_00B27A00
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00A83A70	0_2_00A83A70
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00A42A40	0_2_00A42A40
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00D22B85	0_2_00D22B85
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00D23B72	0_2_00D23B72
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00B79CD0	0_2_00B79CD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00D22DB4	0_2_00D22DB4
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00B7AD60	0_2_00B7AD60
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00D0DFCC	0_2_00D0DFCC
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00CABFE0	0_2_00CABFE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00A92F20	0_2_00A92F20
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00A67F40	0_2_00A67F40

Enables security privileges

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Process token adjusted: Security

Jump to behavior

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: String function: 00CEB8E0 appears 35 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: String function: 00C5020B appears 59 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: String function: 00A6A250 appears 61 times

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922793827.0000000000EFB000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFoneTool Installer.exeF vs SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000000.1657879012.0000000000EFB000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFoneTool Installer.exeF vs SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Binary or memory string: OriginalFilenameFoneTool Installer.exeF vs SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Uses 32bit PE files

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Static PE information: Section: UPX1 ZLIB complexity 0.9890678818888177

Source: classification engine

Classification label: clean19.spyw.winEXE@1/5@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Mutant created: \Sessions\1\BaseNamedObjects\Guid_{FAC4F138-6147-4899-90CA-5A9F7A70EAB4}
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Mutant created: \Sessions\1\BaseNamedObjects\bipc_gmap_sem_lock_7532_13357974356.922226

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

File created: C:\Users\user\AppData\Local\Temp\97ccea83-52aa-455f-9ae6-4693882dff99.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

File read: C:\ProgramData\AomeiMB\usercfg.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE cookies set %s="%s" where %s="%s";
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE cookies set %s = "%s" where %s="%s";
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE moz_cookies set %s="%s" where %s="%s";

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: 130002,https://www.aomeitech.com/mbackupper/thanks-install.html?ver=onstd
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/de/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OffSetup.de.WebInstalledFhttps://www.fonetool.com/de/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OffSetup.en.WebInstalledChttps://www.fonetool.com/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/es/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OffSetup.es.WebInstalledFhttps://www.fonetool.com/es/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/fr/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OffSetup.fr.WebInstalledFhttps://www.fonetool.com/fr/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/it/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OffSetup.it.WebInstalledFhttps://www.fonetool.com/it/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/jp/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OffSetup.ja.WebInstalledFhttps://www.fonetool.com/jp/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OffSetup.nl.WebInstalledChttps://www.fonetool.com/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OffSetup.pl.WebInstalledChttps://www.fonetool.com/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OffSetup.zh_CN.WebInstalledChttps://www.fonetool.com/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/tw/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OffSetup.zh_TW.WebInstalledFhttps://www.fonetool.com/tw/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/de/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OnSetup.de.130002Ghttps://www.fonetool.com/de/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OnSetup.en.130002Dhttps://www.fonetool.com/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/es/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OnSetup.es.130002Ghttps://www.fonetool.com/es/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/fr/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OnSetup.fr.130002Ghttps://www.fonetool.com/fr/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/it/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OnSetup.it.130002Ghttps://www.fonetool.com/it/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/jp/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OnSetup.ja.130002Ghttps://www.fonetool.com/jp/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OnSetup.nl.130002Dhttps://www.fonetool.com/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OnSetup.pl.130002Dhttps://www.fonetool.com/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OnSetup.zh_CN.130002Dhttps://www.fonetool.com/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/tw/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OnSetup.zh_TW.130002Ghttps://www.fonetool.com/tw/campaign/thanks-install.html?edition=onFree

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

File written: C:\ProgramData\AomeiMB\usercfg.ini

Jump to behavior

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Static file information: File size 1885792 > 1048576

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x186200

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00CEB429 push ecx; ret		0_2_00CEB43C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00CEB926 push ecx; ret		0_2_00CEB939

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00A4D710 GetPrivateProfileStringA,		0_2_00A4D710
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00A4DD90 GetPrivateProfileStringA,		0_2_00A4DD90

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00B6D7E0 FindFirstFileA,FindClose,FindNextFileA,FindClose,GetLastError,RemoveDirectoryA,		0_2_00B6D7E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00A48BE0 OpenMutexW,CreateMutexW,WaitForSingleObject,FindFirstFileA,FindClose,DeleteFileA,ReleaseMutex,ReleaseMutex,CloseHandle,CloseHandle,ReleaseMutex,CloseHandle,__Init_thread_footer,GetModuleFileNameA,_strrchr,__Init_thread_footer,		0_2_00A48BE0

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Code function: 0_2_00A410A0 GetSystemInfo,

0_2_00A410A0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Code function: 0_2_00D17C49 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00D17C49

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Code function: 0_2_00D4807D mov eax, dword ptr fs:[00000030h]

0_2_00D4807D

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Code function: 0_2_00B38130 ___std_exception_destroy,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle,

0_2_00B38130

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00CEA5C3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00CEA5C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00D17C49 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00D17C49

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Code function: 0_2_00B6CF50 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateDirectoryA,

0_2_00B6CF50

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: GetLocaleInfoEx,GetLocaleInfoW,	0_2_00D5178D
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_00D5DAE1
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: GetLocaleInfoW,	0_2_00D5E13A
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00D5E263
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: GetLocaleInfoW,	0_2_00D5E36A
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00D5E437
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: GetLocaleInfoW,	0_2_00D5DCB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: EnumSystemLocalesW,	0_2_00D5DDC2
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: EnumSystemLocalesW,	0_2_00D5DD59
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: EnumSystemLocalesW,	0_2_00D50D3D
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00D5DEEA
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: EnumSystemLocalesW,	0_2_00D5DE5D

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Code function: 0_2_00B6D000 GetLastError,GetLastError,__CxxThrowException@8,GetSystemTimeAsFileTime,

0_2_00B6D000

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Code function: 0_2_00D536BB _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00D536BB

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\NetWork\Cookies			Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Uses 32bit PE files

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00B6D7E0 FindFirstFileA,FindClose,FindNextFileA,FindClose,GetLastError,RemoveDirectoryA,		0_2_00B6D7E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00A48BE0 OpenMutexW,CreateMutexW,WaitForSingleObject,FindFirstFileA,FindClose,DeleteFileA,ReleaseMutex,ReleaseMutex,CloseHandle,CloseHandle,ReleaseMutex,CloseHandle,__Init_thread_footer,GetModuleFileNameA,_strrchr,__Init_thread_footer,		0_2_00A48BE0

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

0_2_00B9B140

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671497734.0000000002ECD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671776140.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671497734.0000000002ECD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671776140.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/0
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1673595275.0000000002EF8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1673690345.0000000002EF8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671594449.0000000002EF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1673404574.0000000002EF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671555330.0000000002EF7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1673517650.0000000002EF8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1673473687.0000000002EF8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1673595275.0000000002EF8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1673690345.0000000002EF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersh
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671776140.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/jp/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1666212503.0000000002ED3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1666141866.0000000002ED3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1666082767.0000000002ED1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1666212503.0000000002ED3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnl
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1666141866.0000000002ED3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1666082767.0000000002ED1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1666212503.0000000002ED3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnt
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1668867021.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1669578089.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1668867021.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp//ta
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1670920120.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/0
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1670920120.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/4
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1669578089.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/6
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671497734.0000000002ECD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/7
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1669578089.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/9
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1669578089.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/://w
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1670920120.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671497734.0000000002ECD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1669578089.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671776140.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1668867021.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/W
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671497734.0000000002ECD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1670920120.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671497734.0000000002ECD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1669578089.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671776140.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0tr
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1670920120.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671497734.0000000002ECD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/j
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671776140.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1670920120.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671497734.0000000002ECD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671776140.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/9
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1670920120.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671497734.0000000002ECD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671776140.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/of
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1670920120.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671497734.0000000002ECD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1669578089.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671776140.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671497734.0000000002ECD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1671776140.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/x
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1676399480.0000000002EF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.monotype.
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1676399480.0000000002EF8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1676519881.0000000002EF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.monotype.4
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1659304789.0000000002EF5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658918288.0000000002EF5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1659190883.0000000002EF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2923930855.00000000043F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: http://www2.aomeisoftware.com/download/ftl/FoneTool_free.exe
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www2.aomeisoftware.com/download/ftl/FoneTool_free.exe.
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www2.aomeisoftware.com/download/ftl/FoneTool_free.exe7x
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www2.aomeisoftware.com/download/ftl/FoneTool_free.exe?
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www2.aomeisoftware.com/download/ftl/FoneTool_free.exea
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www2.aomeisoftware.com/download/ftl/FoneTool_free.exeha
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www2.aomeisoftware.com/download/ftl/FoneTool_free.exes
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www2.aomeisoftware.com/download/mbackup/configinfo/ft.dat
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: http://www2.aomeisoftware.com/download/mbackup/configinfo/ft.dat)
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: http://www2.aomeisoftware.com/download/mbackup/configinfo/ft.dat)FoneTool.TitleBar.SaleButtonInNotLi
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000E56000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www2.aomeisoftware.com/download/mbackup/setups/FoneTool_free.exe
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www2.aomeisoftware.com/download/mbackup/setups/MBackupper_setup.exe
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www2.aomeisoftware.com/download/mbackup/setups/MBackupper_setup.exehttp://www2.aomeisoftware.
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://a.aomeisoftware.com/api/v2/soft/collect
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://a.aomeisoftware.com/api/v2/soft/collectp
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://b.aomeisoftware.com/api/v2/soft/collect
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://mobile.ubackup.com/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://mobile.ubackup.com/130003
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.aomeitech.com/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.aomeitech.com/101004
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.aomeitech.com/mbackupper/thanks-install.html?ver=onstd
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.aomeitech.com/mbackupper/thanks-install.html?ver=onstdOnSetup.SaveAsExtendedDataonlineme
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/campaign/download-latest-version.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/campaign/download-latest-version.html0y
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/campaign/download-latest-version.htmlup
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/campaign/download-latest-version.htmluz
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/campaign/thanks-install.html?edition=off%s)
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/campaign/thanks-install.html?edition=onFreeo
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/campaign/thanks-install.html?edition=onFreeq
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/campaign/thanks-install.html?edition=onFreetdxU
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000E56000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.fonetool.com/campaign/thanks-install.html?ver=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/campaign/uninstall-completed.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/campaign/uninstall-completed.htmlR~2
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/campaign/uninstall-completed.htmlu
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/campaign/upgrade-now.html?source=
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/campaign/upgrade-now.html?sourc~z
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/de
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/de/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001133000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/de/7
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/de/campaign/download-latest-version.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/de/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/de/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/de/campaign/uninstall-completed.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/de/campaign/uninstall-completed.htmlO
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/de/campaign/upgrade-now.html?source=
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000E56000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.fonetool.com/de/ux-improvement-program.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/ded
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/es
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/es/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/es/campaign/download-latest-version.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/es/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/es/campaign/thanks-install.html?edition=off%sw
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/es/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/es/campaign/thanks-install.html?edition=onFreer
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/es/campaign/uninstall-completed.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/es/campaign/uninstall-completed.html6~
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/es/campaign/upgrade-now.html?source=
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/fo
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/fr
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/fr/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/fr/campaign/download-latest-version.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/fr/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/fr/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/fr/campaign/thanks-install.html?edition=onFreeuy
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/fr/campaign/uninstall-completed.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/fr/campaign/uninstall-completed.htmli~
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/fr/campaign/upgrade-now.html?source=
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000E56000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.fonetool.com/fr/ux-improvement-program.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/it
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/it/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/it/B
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/it/campaign/download-latest-version.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/it/campaign/download-latest-version.htmlV
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/it/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/it/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/it/campaign/thanks-install.html?edition=onFreej
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/it/campaign/uninstall-c
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/it/campaign/uninstall-completed.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/it/campaign/upgrade-now.html?source=
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/jp
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/jp/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/jp/E
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/jp/campaign/download-latest-version.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/jp/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/jp/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/jp/campaign/thanks-install.html?edition=onFreeN
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/jp/campaign/thanks-install.html?edition=onFreey
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/jp/campaign/uninstall-completed.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/jp/campaign/uninstall-completed.htmlH
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/jp/campaign/upgrade-now.html?source=
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/jp/d
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000E56000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.fonetool.com/jp/ux-improvement-program.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/tw
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/tw/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/tw/campaign/download-latest-version.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/tw/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/tw/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/tw/campaign/uninstall-completed.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/tw/campaign/upgrade-now.html?source=
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000E56000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.fonetool.com/tw/ux-improvement-program.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/twO
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/twlf.
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000E56000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com/ux-improvement-program.html
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.com4
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fonetool.comd
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/FoneTool_free.exe
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/FoneTool_free.exeGa
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/FoneTool_free.exeN
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/FoneTool_free.exeR
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/FoneTool_free.exeZa9
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/FoneTool_free.exeax/
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/FoneTool_free.execa
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/FoneTool_free.exer
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/ftonlinefree.ini
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/ftonlinefree.iniEx
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/ftonlinefree.iniJx
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/ftonlinefree.iniUa6
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/ftonlinefree.iniW
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/ftonlinefree.inii
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/ftonlinefree.inij
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/ftonlinefree.inim
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1678099416.0000000001177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/ftonlinefree.iniub
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000E56000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010AE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/ftonlinesetup.ini
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/ftl/ftonlinesetup.inihttps://www2.aomeisoftware.com/download
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www2.aomeisoftware.com/download/mbackup/configinfo/Config/MBUpgrade.json
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000003.1658545798.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922874933.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/mbackup/configinfo/Config/MBUpgrade.jsonuy
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000E56000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www2.aomeisoftware.com/download/mbackup/setups/FoneTool_free.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00B0E730	0_2_00B0E730
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00AD1B80	0_2_00AD1B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00B0E020	0_2_00B0E020
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00A59160	0_2_00A59160
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00D112CF	0_2_00D112CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00A6A290	0_2_00A6A290
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00D2321D	0_2_00D2321D
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00B7E360	0_2_00B7E360
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00D0D320	0_2_00D0D320
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00A924D0	0_2_00A924D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00B0B630	0_2_00B0B630
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00BA9600	0_2_00BA9600
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00A6A910	0_2_00A6A910
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00A7E940	0_2_00A7E940
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00B27A00	0_2_00B27A00
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00A83A70	0_2_00A83A70
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00A42A40	0_2_00A42A40
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00D22B85	0_2_00D22B85
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00D23B72	0_2_00D23B72
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00B79CD0	0_2_00B79CD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00D22DB4	0_2_00D22DB4
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00B7AD60	0_2_00B7AD60
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00D0DFCC	0_2_00D0DFCC
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00CABFE0	0_2_00CABFE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00A92F20	0_2_00A92F20
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00A67F40	0_2_00A67F40

Enables security privileges

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Process token adjusted: Security

Jump to behavior

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: String function: 00CEB8E0 appears 35 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: String function: 00C5020B appears 59 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: String function: 00A6A250 appears 61 times

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922793827.0000000000EFB000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFoneTool Installer.exeF vs SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000000.1657879012.0000000000EFB000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFoneTool Installer.exeF vs SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Binary or memory string: OriginalFilenameFoneTool Installer.exeF vs SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Uses 32bit PE files

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Static PE information: Section: UPX1 ZLIB complexity 0.9890678818888177

Source: classification engine

Classification label: clean19.spyw.winEXE@1/5@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Mutant created: \Sessions\1\BaseNamedObjects\Guid_{FAC4F138-6147-4899-90CA-5A9F7A70EAB4}
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Mutant created: \Sessions\1\BaseNamedObjects\bipc_gmap_sem_lock_7532_13357974356.922226

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

File created: C:\Users\user\AppData\Local\Temp\97ccea83-52aa-455f-9ae6-4693882dff99.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

File read: C:\ProgramData\AomeiMB\usercfg.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE cookies set %s="%s" where %s="%s";
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE cookies set %s = "%s" where %s="%s";
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe, 00000000.00000002.2922158925.0000000000A41000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE moz_cookies set %s="%s" where %s="%s";

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: 130002,https://www.aomeitech.com/mbackupper/thanks-install.html?ver=onstd
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/de/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OffSetup.de.WebInstalledFhttps://www.fonetool.com/de/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OffSetup.en.WebInstalledChttps://www.fonetool.com/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/es/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OffSetup.es.WebInstalledFhttps://www.fonetool.com/es/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/fr/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OffSetup.fr.WebInstalledFhttps://www.fonetool.com/fr/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/it/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OffSetup.it.WebInstalledFhttps://www.fonetool.com/it/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/jp/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OffSetup.ja.WebInstalledFhttps://www.fonetool.com/jp/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OffSetup.nl.WebInstalledChttps://www.fonetool.com/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OffSetup.pl.WebInstalledChttps://www.fonetool.com/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OffSetup.zh_CN.WebInstalledChttps://www.fonetool.com/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/tw/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OffSetup.zh_TW.WebInstalledFhttps://www.fonetool.com/tw/campaign/thanks-install.html?edition=off%s
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/de/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OnSetup.de.130002Ghttps://www.fonetool.com/de/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OnSetup.en.130002Dhttps://www.fonetool.com/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/es/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OnSetup.es.130002Ghttps://www.fonetool.com/es/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/fr/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OnSetup.fr.130002Ghttps://www.fonetool.com/fr/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/it/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OnSetup.it.130002Ghttps://www.fonetool.com/it/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/jp/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OnSetup.ja.130002Ghttps://www.fonetool.com/jp/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OnSetup.nl.130002Dhttps://www.fonetool.com/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OnSetup.pl.130002Dhttps://www.fonetool.com/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OnSetup.zh_CN.130002Dhttps://www.fonetool.com/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: https://www.fonetool.com/tw/campaign/thanks-install.html?edition=onFree
Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	String found in binary or memory: OnSetup.zh_TW.130002Ghttps://www.fonetool.com/tw/campaign/thanks-install.html?edition=onFree

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

File written: C:\ProgramData\AomeiMB\usercfg.ini

Jump to behavior

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Static file information: File size 1885792 > 1048576

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x186200

Source: SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00CEB429 push ecx; ret		0_2_00CEB43C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00CEB926 push ecx; ret		0_2_00CEB939

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00A4D710 GetPrivateProfileStringA,		0_2_00A4D710
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00A4DD90 GetPrivateProfileStringA,		0_2_00A4DD90

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00B6D7E0 FindFirstFileA,FindClose,FindNextFileA,FindClose,GetLastError,RemoveDirectoryA,		0_2_00B6D7E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00A48BE0 OpenMutexW,CreateMutexW,WaitForSingleObject,FindFirstFileA,FindClose,DeleteFileA,ReleaseMutex,ReleaseMutex,CloseHandle,CloseHandle,ReleaseMutex,CloseHandle,__Init_thread_footer,GetModuleFileNameA,_strrchr,__Init_thread_footer,		0_2_00A48BE0

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Code function: 0_2_00A410A0 GetSystemInfo,

0_2_00A410A0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Code function: 0_2_00D17C49 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00D17C49

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Code function: 0_2_00D4807D mov eax, dword ptr fs:[00000030h]

0_2_00D4807D

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Code function: 0_2_00B38130 ___std_exception_destroy,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle,

0_2_00B38130

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00CEA5C3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00CEA5C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: 0_2_00D17C49 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00D17C49

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Code function: 0_2_00B6CF50 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateDirectoryA,

0_2_00B6CF50

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: GetLocaleInfoEx,GetLocaleInfoW,	0_2_00D5178D
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_00D5DAE1
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: GetLocaleInfoW,	0_2_00D5E13A
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00D5E263
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: GetLocaleInfoW,	0_2_00D5E36A
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00D5E437
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: GetLocaleInfoW,	0_2_00D5DCB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: EnumSystemLocalesW,	0_2_00D5DDC2
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: EnumSystemLocalesW,	0_2_00D5DD59
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: EnumSystemLocalesW,	0_2_00D50D3D
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00D5DEEA
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Code function: EnumSystemLocalesW,	0_2_00D5DE5D

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Code function: 0_2_00B6D000 GetLastError,GetLastError,__CxxThrowException@8,GetSystemTimeAsFileTime,

0_2_00B6D000

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Code function: 0_2_00D536BB _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00D536BB

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\NetWork\Cookies			Jump to behavior

ID:	1428529
Product:	CloudBasic
Start time:	06:25:07
Start date:	19.04.2024
Sample:	SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	8248611347661c3ea4f8e27335cd1700
SHA1:	91e8b00f747f551edc43da93586f555cb98bb28d
SHA256:	59f4ae1f38b93b1303c37894f8bce134d2f75e6404bee7509a97b951c824b5bd
Filetype:	Win32 Executable (generic) a (10002005/4) 99.66%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\AomeiMB\FTSetup.ini	ASCII text, with CRLF line terminators	E0F6253ADFA10FD3A1143A1F215A83F2	986BDF8276D7863DE9C8CE8C7D164BC703BBCA21	895AE32D5128A269BB79CA69E5D8630FE99A24646C088EC9024063810FF39FA5
C:\ProgramData\AomeiMB\MBConfig.ini	ASCII text, with CRLF line terminators	611444D102AF24698AA5E2DF006EA7F5	EEC2702DCE69AD39985E2F0C29FF4DA208F2E3A5	2A5AEF942378715F5D0C1F08F669E338B8CC95FB8F16901D9447BD1A53A7D43E
C:\ProgramData\AomeiMB\usercfg.ini	ASCII text, with CRLF line terminators	0D873F9ABDB607AEEF88690D27A819B2	09ACEF92AB3D8F2C4B59B18287B884FDA4F650C1	80D555A7C9C64BD064A7B7050EBA0A55586C79A1DE25CA8B80CC4D5DF0541C11
C:\Users\user\AppData\Local\Temp\73d343e3-d818-4d96-909f-e3854b686899\43a355-daemon-20240419-0734.log	Unicode text, UTF-16, little-endian text, with CRLF line terminators	E3997F5127C79B24B5525DE8B9CF99EB	DBB001440848AEAA845518B5D215F72CD5EDF845	BE1C41BF5348E66E8B3AD6DD82A675D0204CC98F88395F2C22DC988DFBABDE8E
C:\Users\user\AppData\Local\Temp\97ccea83-52aa-455f-9ae6-4693882dff99.ini	ASCII text, with CRLF line terminators	BE63F16471F577E3261C9687959124EE	65E478ADF5118346CB408916DD295D72344CC170	AF0F1D44555095CEDD4660D278350CD9050286CEB74E6C3D211BB29F12F12D65

Windows Analysis Report
SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.BScope.TrojanPSW.Maria.32604.16928.exe