Analysis Report TRENWATR.EXE

Overview

General Information

Sample Name:	TRENWATR.EXE
Analysis ID:	383916
MD5:	4c8c4125a16387f16558e841a704c718
SHA1:	a550ec500bfa00f45ac799b9e5f4868a30892e23
SHA256:	5aaae83a4b166e0cb4a3a5841c6b92c39c66b2c8dabbe9e304c7865237c9ad5b
Tags:	AgentTeslaEXE
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains very large array initializations

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Moves itself to temp directory

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Found malware configuration

Source: 21.2.outlook.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "datastore1840@yandex.comopjis0123smtp.yandex.com"}

Multi AV Scanner detection for submitted file

Source: TRENWATR.EXE	Virustotal: Detection: 16%			Perma Link
Source: TRENWATR.EXE	ReversingLabs: Detection: 14%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: TRENWATR.EXE

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 21.2.outlook.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 22.2.outlook.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.2.TRENWATR.EXE.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: TRENWATR.EXE

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: TRENWATR.EXE

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02E47A00
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02E49127
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02E49128
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02E479FF
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	18_2_013B8440
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	18_2_013B9960
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	18_2_013B9950
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	18_2_013B842F
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	20_2_031D8440
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	20_2_031D9950
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	20_2_031D9960
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	20_2_031D842F
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	20_2_031D84F4

Source: TRENWATR.EXE, 00000005.00000002.506281676.0000000002E81000.00000004.00000001.sdmp, outlook.exe, 00000015.00000002.377800877.0000000002901000.00000004.00000001.sdmp, outlook.exe, 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: outlook.exe, 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: outlook.exe, 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmp	String found in binary or memory: http://JaIZBT.com
Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmp	String found in binary or memory: http://crl.certum.pl/ca.crl0h
Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmp	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmp	String found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.236572064.0000000005F3B000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.235975296.0000000005F3B000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmp	String found in binary or memory: http://repository.certum.pl/ca.cer09
Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmp	String found in binary or memory: http://repository.certum.pl/ycasha2.cer0
Source: TRENWATR.EXE, 00000000.00000002.259743735.0000000002EE1000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360749670.0000000002EE9000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360529730.0000000002E91000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374700347.00000000032EB000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374363731.0000000003291000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: outlook.exe, 00000012.00000002.360749670.0000000002EE9000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374700347.00000000032EB000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
Source: TRENWATR.EXE, 00000005.00000002.513816109.0000000003135000.00000004.00000001.sdmp	String found in binary or memory: http://smtp.yandex.com
Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmp	String found in binary or memory: http://subca.ocsp-certum.com0.
Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmp	String found in binary or memory: http://subca.ocsp-certum.com01
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: TRENWATR.EXE, 00000000.00000003.239865090.0000000005F44000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: TRENWATR.EXE, 00000000.00000003.240042629.0000000005F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlzi
Source: TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: TRENWATR.EXE, 00000000.00000003.238291911.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com8
Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comC
Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comD
Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comMic
Source: TRENWATR.EXE, 00000000.00000003.238264721.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comV
Source: TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comY
Source: TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comand
Source: TRENWATR.EXE, 00000000.00000003.238264721.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comelpLm
Source: TRENWATR.EXE, 00000000.00000003.238587043.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comes
Source: TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comi
Source: TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comits
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.compe
Source: TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.compef
Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comperN
Source: TRENWATR.EXE, 00000000.00000003.238264721.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comrh
Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comsign
Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comtig
Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comto
Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmp	String found in binary or memory: http://www.certum.pl/CPS0
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: TRENWATR.EXE, 00000000.00000003.248532139.0000000005F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers&c
Source: TRENWATR.EXE, 00000000.00000003.241642807.0000000005F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: TRENWATR.EXE, 00000000.00000003.242859092.0000000005F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: TRENWATR.EXE, 00000000.00000003.242859092.0000000005F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlt
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.242503896.0000000005F47000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: TRENWATR.EXE, 00000000.00000003.242301739.0000000005F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlX
Source: TRENWATR.EXE, 00000000.00000003.242105483.0000000005F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers0c.
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: TRENWATR.EXE, 00000000.00000003.241695306.0000000005F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersZ
Source: TRENWATR.EXE, 00000000.00000002.259515653.0000000001717000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comB.TTFG
Source: TRENWATR.EXE, 00000000.00000002.259515653.0000000001717000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: TRENWATR.EXE, 00000000.00000002.259515653.0000000001717000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: TRENWATR.EXE, 00000000.00000003.237832318.0000000005F53000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.237698757.0000000005F47000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: TRENWATR.EXE, 00000000.00000003.237832318.0000000005F53000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn$RZ
Source: TRENWATR.EXE, 00000000.00000003.237913831.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: TRENWATR.EXE, 00000000.00000003.237832318.0000000005F53000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnq
Source: TRENWATR.EXE, 00000000.00000003.244974147.0000000005F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: TRENWATR.EXE, 00000000.00000003.245675829.0000000005F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmhi
Source: TRENWATR.EXE, 00000000.00000003.248272029.0000000005F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmtr-tr
Source: TRENWATR.EXE, 00000000.00000003.244974147.0000000005F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/xM
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: TRENWATR.EXE, 00000000.00000003.241477321.0000000005F47000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.241231274.0000000005F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: TRENWATR.EXE, 00000000.00000003.234896317.0000000005F3B000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: TRENWATR.EXE, 00000000.00000003.234896317.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comd
Source: TRENWATR.EXE, 00000000.00000003.234896317.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comx
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: TRENWATR.EXE, 00000000.00000003.237176182.0000000005F3B000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: TRENWATR.EXE, 00000000.00000003.237176182.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kra-d&u
Source: TRENWATR.EXE, 00000000.00000003.237176182.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krony
Source: outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: TRENWATR.EXE, 00000000.00000003.237954503.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com#gO
Source: TRENWATR.EXE, 00000000.00000003.237977092.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comT
Source: TRENWATR.EXE, 00000000.00000003.236231153.0000000005F3B000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.236015819.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.net
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: TRENWATR.EXE, 00000000.00000003.236015819.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netL.TTFOq
Source: TRENWATR.EXE, 00000000.00000003.236231153.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netcreen
Source: TRENWATR.EXE, 00000000.00000003.236231153.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netliqueFq
Source: TRENWATR.EXE, 00000000.00000003.236231153.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netor
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmp	String found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmp	String found in binary or memory: http://yandex.ocsp-responder.com03
Source: TRENWATR.EXE, 00000005.00000002.506281676.0000000002E81000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: outlook.exe, 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: outlook.exe, outlook.exe, 00000014.00000002.370585135.0000000000EB2000.00000002.00020000.sdmp, outlook.exe, 00000015.00000002.376295024.00000000005B2000.00000002.00020000.sdmp, outlook.exe, 00000016.00000000.368954462.0000000000AB2000.00000002.00020000.sdmp, TRENWATR.EXE	String found in binary or memory: https://dist.nuget.org/win-x86-commandline/latest/nuget.exe
Source: outlook.exe, outlook.exe, 00000015.00000002.376295024.00000000005B2000.00000002.00020000.sdmp, outlook.exe, 00000016.00000000.368954462.0000000000AB2000.00000002.00020000.sdmp, TRENWATR.EXE	String found in binary or memory: https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zip
Source: outlook.exe, outlook.exe, 00000014.00000002.370585135.0000000000EB2000.00000002.00020000.sdmp, outlook.exe, 00000015.00000002.376295024.00000000005B2000.00000002.00020000.sdmp, outlook.exe, 00000016.00000000.368954462.0000000000AB2000.00000002.00020000.sdmp, TRENWATR.EXE	String found in binary or memory: https://github.com/d-haxton/HaxtonBot/archive/master.zip
Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmp	String found in binary or memory: https://www.certum.pl/CPS0
Source: TRENWATR.EXE, 00000000.00000002.260543683.0000000003EEC000.00000004.00000001.sdmp, TRENWATR.EXE, 00000005.00000002.495941887.0000000000402000.00000040.00000001.sdmp, outlook.exe, 00000012.00000002.361897576.0000000003E9C000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.375859880.000000000429C000.00000004.00000001.sdmp, outlook.exe, 00000015.00000002.376120241.0000000000402000.00000040.00000001.sdmp, outlook.exe, 00000016.00000002.496146481.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: TRENWATR.EXE, 00000005.00000002.506281676.0000000002E81000.00000004.00000001.sdmp, outlook.exe, 00000015.00000002.377800877.0000000002901000.00000004.00000001.sdmp, outlook.exe, 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: TRENWATR.EXE, 00000005.00000002.506281676.0000000002E81000.00000004.00000001.sdmp, TRENWATR.EXE, 00000005.00000002.513517765.00000000030FF000.00000004.00000001.sdmp, TRENWATR.EXE, 00000005.00000002.513965089.0000000003159000.00000004.00000001.sdmp	String found in binary or memory: https://yOXP6NtnFAR44DUBv.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: outlook.exe, 00000012.00000002.358907457.00000000011AB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

.NET source code contains very large array initializations

Source: 5.2.TRENWATR.EXE.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b6D4ECB85u002d43B1u002d4D40u002d9D23u002d56D2949191A7u007d/D248AEB2u002dB262u002d410Eu002dB587u002dCA91D7E33B16.cs

Large array initialization: .cctor: array initializer size 11927

Contains functionality to call native functions

Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe

Code function: 20_2_074F573C NtQueryInformationProcess,

20_2_074F573C

Detected potential crypto function

Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_00AB2050	0_2_00AB2050
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_0170DCF4	0_2_0170DCF4
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_0170C3A0	0_2_0170C3A0
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_0170E218	0_2_0170E218
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_0170A748	0_2_0170A748
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E48268	0_2_02E48268
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E407E8	0_2_02E407E8
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E45A40	0_2_02E45A40
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E42368	0_2_02E42368
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E42358	0_2_02E42358
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E40040	0_2_02E40040
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E40006	0_2_02E40006
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E45680	0_2_02E45680
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E41660	0_2_02E41660
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E4567F	0_2_02E4567F
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E41650	0_2_02E41650
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E407D9	0_2_02E407D9
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E45A30	0_2_02E45A30
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E42820	0_2_02E42820
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E42830	0_2_02E42830
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_00982050	5_2_00982050
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_00984842	5_2_00984842
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_00984793	5_2_00984793
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_011D46A0	5_2_011D46A0
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_011D35C4	5_2_011D35C4
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_011D45D0	5_2_011D45D0
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_011D4690	5_2_011D4690
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_011D5391	5_2_011D5391
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_011DD980	5_2_011DD980
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_01379150	5_2_01379150
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_013705E8	5_2_013705E8
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_0137B5C0	5_2_0137B5C0
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_01373C00	5_2_01373C00
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_01370D80	5_2_01370D80
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_0137F4D0	5_2_0137F4D0
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_01376F70	5_2_01376F70
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_01370E20	5_2_01370E20
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_00922050	18_2_00922050
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_00924842	18_2_00924842
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_00924793	18_2_00924793
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B5A40	18_2_013B5A40
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B8C40	18_2_013B8C40
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B07DB	18_2_013B07DB
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B003B	18_2_013B003B
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B2830	18_2_013B2830
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B2820	18_2_013B2820
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B0040	18_2_013B0040
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B2368	18_2_013B2368
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B2358	18_2_013B2358
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B5A30	18_2_013B5A30
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B5C66	18_2_013B5C66
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B5CAF	18_2_013B5CAF
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B5CA3	18_2_013B5CA3
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B5671	18_2_013B5671
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B1660	18_2_013B1660
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B1653	18_2_013B1653
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B5680	18_2_013B5680
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_0147DCF4	18_2_0147DCF4
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_0147C148	18_2_0147C148
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_0147E223	18_2_0147E223
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_0147A748	18_2_0147A748
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_02D743DC	18_2_02D743DC
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_02D77970	18_2_02D77970
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_00EB4842	20_2_00EB4842
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_00EB2050	20_2_00EB2050
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_00EB4793	20_2_00EB4793
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D5A40	20_2_031D5A40
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D07E8	20_2_031D07E8
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D8C40	20_2_031D8C40
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D2358	20_2_031D2358
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D2368	20_2_031D2368
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D5A30	20_2_031D5A30
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D0006	20_2_031D0006
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D2830	20_2_031D2830
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D2820	20_2_031D2820
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D0040	20_2_031D0040
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D0747	20_2_031D0747
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D07D8	20_2_031D07D8
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D1653	20_2_031D1653
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D5671	20_2_031D5671
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D1660	20_2_031D1660
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D5680	20_2_031D5680
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D5C66	20_2_031D5C66
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D5CAF	20_2_031D5CAF
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D5CA3	20_2_031D5CA3
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_032694A8	20_2_032694A8
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_0326DCF4	20_2_0326DCF4
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_0326C3A0	20_2_0326C3A0
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_0326E218	20_2_0326E218
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_0326A748	20_2_0326A748
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F8780	20_2_074F8780
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F6688	20_2_074F6688
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074FE348	20_2_074FE348
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F6EA0	20_2_074F6EA0
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F3C78	20_2_074F3C78
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F5AE0	20_2_074F5AE0
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F78D0	20_2_074F78D0
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F3888	20_2_074F3888
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F872A	20_2_074F872A
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F873F	20_2_074F873F
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F864D	20_2_074F864D
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F664A	20_2_074F664A
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F6615	20_2_074F6615
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074FE630	20_2_074FE630
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F65E0	20_2_074F65E0
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074FF378	20_2_074FF378
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074FA240	20_2_074FA240
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074FA250	20_2_074FA250
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F6E90	20_2_074F6E90
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074FAD01	20_2_074FAD01
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074FAD10	20_2_074FAD10
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F5AD0	20_2_074F5AD0
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074FAA88	20_2_074FAA88
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074FAA98	20_2_074FAA98
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074FB99A	20_2_074FB99A
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074FB9A0	20_2_074FB9A0
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F3878	20_2_074F3878
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F78C0	20_2_074F78C0
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074FA898	20_2_074FA898
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074FA8A8	20_2_074FA8A8

PE file contains strange resources

Source: TRENWATR.EXE	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: outlook.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: TRENWATR.EXE, 00000000.00000002.259743735.0000000002EE1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll2 vs TRENWATR.EXE
Source: TRENWATR.EXE, 00000000.00000002.270090172.0000000007510000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll" vs TRENWATR.EXE
Source: TRENWATR.EXE, 00000000.00000000.232150888.0000000000B68000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameEnumSByteTypeInfo.exeD vs TRENWATR.EXE
Source: TRENWATR.EXE, 00000000.00000002.259842280.0000000002F2E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameXClcfvohVHtCAIPGfwbTlOxbHZPR.exe4 vs TRENWATR.EXE
Source: TRENWATR.EXE, 00000005.00000002.495941887.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameXClcfvohVHtCAIPGfwbTlOxbHZPR.exe4 vs TRENWATR.EXE
Source: TRENWATR.EXE, 00000005.00000002.498707080.0000000000A38000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameEnumSByteTypeInfo.exeD vs TRENWATR.EXE
Source: TRENWATR.EXE, 00000005.00000002.506052290.0000000002E60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs TRENWATR.EXE
Source: TRENWATR.EXE, 00000005.00000002.518540002.0000000006430000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs TRENWATR.EXE
Source: TRENWATR.EXE, 00000005.00000002.499094834.0000000000BF8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs TRENWATR.EXE
Source: TRENWATR.EXE	Binary or memory string: OriginalFilenameEnumSByteTypeInfo.exeD vs TRENWATR.EXE

Uses 32bit PE files

Source: TRENWATR.EXE

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: TRENWATR.EXE	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: outlook.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 5.2.TRENWATR.EXE.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.TRENWATR.EXE.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/4@0/0

Source: C:\Users\user\Desktop\TRENWATR.EXE

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TRENWATR.EXE.log

Jump to behavior

Source: TRENWATR.EXE

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\TRENWATR.EXE	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\TRENWATR.EXE	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\TRENWATR.EXE	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\TRENWATR.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: TRENWATR.EXE	Virustotal: Detection: 16%
Source: TRENWATR.EXE	ReversingLabs: Detection: 14%

Source: C:\Users\user\Desktop\TRENWATR.EXE

File read: C:\Users\user\Desktop\TRENWATR.EXE

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TRENWATR.EXE 'C:\Users\user\Desktop\TRENWATR.EXE'
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process created: C:\Users\user\Desktop\TRENWATR.EXE C:\Users\user\Desktop\TRENWATR.EXE
Source: unknown	Process created: C:\Users\user\AppData\Roaming\outlook\outlook.exe 'C:\Users\user\AppData\Roaming\outlook\outlook.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\outlook\outlook.exe 'C:\Users\user\AppData\Roaming\outlook\outlook.exe'
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process created: C:\Users\user\AppData\Roaming\outlook\outlook.exe C:\Users\user\AppData\Roaming\outlook\outlook.exe
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process created: C:\Users\user\AppData\Roaming\outlook\outlook.exe C:\Users\user\AppData\Roaming\outlook\outlook.exe
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process created: C:\Users\user\Desktop\TRENWATR.EXE C:\Users\user\Desktop\TRENWATR.EXE	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process created: C:\Users\user\AppData\Roaming\outlook\outlook.exe C:\Users\user\AppData\Roaming\outlook\outlook.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process created: C:\Users\user\AppData\Roaming\outlook\outlook.exe C:\Users\user\AppData\Roaming\outlook\outlook.exe	Jump to behavior

Source: C:\Users\user\Desktop\TRENWATR.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\TRENWATR.EXE

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\TRENWATR.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: TRENWATR.EXE

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: TRENWATR.EXE

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_00AC851B push dword ptr [esi+3Fh]; iretd	0_2_00AC852D
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_00AB5683 push es; retf	0_2_00AB5684
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E40587 push ss; ret	0_2_02E40593
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E40595 push ss; ret	0_2_02E4059A
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_0099851B push dword ptr [esi+3Fh]; iretd	5_2_0099852D
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_00985683 push es; retf	5_2_00985684
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_00999287 push FFFFFFD9h; iretd	5_2_009992A4
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_0112D95C push eax; ret	5_2_0112D95D
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_0093851B push dword ptr [esi+3Fh]; iretd	18_2_0093852D
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_00925683 push es; retf	18_2_00925684
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_00939287 push FFFFFFD9h; iretd	18_2_009392A4
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B0595 push ss; ret	18_2_013B059A
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B0587 push ss; ret	18_2_013B0593
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_0147A728 pushfd ; retf	18_2_0147B072
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_0147446F push edi; retf 0002h	18_2_01474482
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_0147AF71 pushfd ; retf	18_2_0147AF72
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_0147AF20 pushfd ; retf	18_2_0147AF22
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_0147AF28 pushfd ; retf	18_2_0147AF2A
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_0147AED1 pushfd ; retf	18_2_0147AED2
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_01473768 push eax; retf	18_2_01473769
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_00EC851B push dword ptr [esi+3Fh]; iretd	20_2_00EC852D
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_00EB5683 push es; retf	20_2_00EB5684
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_00EC9287 push FFFFFFD9h; iretd	20_2_00EC92A4
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D0595 push ss; ret	20_2_031D059A
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D0587 push ss; ret	20_2_031D0593

Source: initial sample	Static PE information: section name: .text entropy: 7.54897918265
Source: initial sample	Static PE information: section name: .text entropy: 7.54897918265

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\TRENWATR.EXE

File created: C:\Users\user\AppData\Roaming\outlook\outlook.exe

Jump to dropped file

Source: C:\Users\user\Desktop\TRENWATR.EXE	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run outlook			Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run outlook			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\TRENWATR.EXE

File opened: C:\Users\user\AppData\Roaming\outlook\outlook.exe:Zone.Identifier read attributes | delete

Jump to behavior

Moves itself to temp directory

Source: c:\users\user\desktop\trenwatr.exe

File moved: C:\Users\user\AppData\Local\Temp\tmpG481.tmp

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\TRENWATR.EXE

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TRENWATR.EXE PID: 1048, type: MEMORY
Source: Yara match	File source: Process Memory Space: outlook.exe PID: 6696, type: MEMORY
Source: Yara match	File source: Process Memory Space: outlook.exe PID: 6904, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\TRENWATR.EXE	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\TRENWATR.EXE	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\TRENWATR.EXE	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\TRENWATR.EXE	Window / User API: threadDelayed 3681	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Window / User API: threadDelayed 6160	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Window / User API: threadDelayed 4487	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Window / User API: threadDelayed 5341	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\TRENWATR.EXE TID: 5532	Thread sleep time: -103548s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE TID: 2968	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE TID: 4092	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE TID: 3612	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE TID: 3392	Thread sleep count: 3681 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE TID: 3392	Thread sleep count: 6160 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 6700	Thread sleep time: -100745s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 6748	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 6920	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 6908	Thread sleep time: -100818s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 6932	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 3276	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 3276	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 608	Thread sleep count: 4487 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 608	Thread sleep count: 5341 > 30	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\TRENWATR.EXE	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\TRENWATR.EXE	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\TRENWATR.EXE	Thread delayed: delay time: 103548	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Thread delayed: delay time: 100745	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Thread delayed: delay time: 100818	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\TRENWATR.EXE

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\TRENWATR.EXE

Code function: 5_2_0137ACA8 LdrInitializeThunk,

5_2_0137ACA8

Enables debug privileges

Source: C:\Users\user\Desktop\TRENWATR.EXE	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\TRENWATR.EXE

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\TRENWATR.EXE	Memory written: C:\Users\user\Desktop\TRENWATR.EXE base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Memory written: C:\Users\user\AppData\Roaming\outlook\outlook.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Memory written: C:\Users\user\AppData\Roaming\outlook\outlook.exe base: 400000 value starts with: 4D5A	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\TRENWATR.EXE	Process created: C:\Users\user\Desktop\TRENWATR.EXE C:\Users\user\Desktop\TRENWATR.EXE	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process created: C:\Users\user\AppData\Roaming\outlook\outlook.exe C:\Users\user\AppData\Roaming\outlook\outlook.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process created: C:\Users\user\AppData\Roaming\outlook\outlook.exe C:\Users\user\AppData\Roaming\outlook\outlook.exe	Jump to behavior

Source: TRENWATR.EXE, 00000005.00000002.504253675.00000000018F0000.00000002.00000001.sdmp, outlook.exe, 00000016.00000002.502684561.0000000001840000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: TRENWATR.EXE, 00000005.00000002.504253675.00000000018F0000.00000002.00000001.sdmp, outlook.exe, 00000016.00000002.502684561.0000000001840000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: TRENWATR.EXE, 00000005.00000002.504253675.00000000018F0000.00000002.00000001.sdmp, outlook.exe, 00000016.00000002.502684561.0000000001840000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: TRENWATR.EXE, 00000005.00000002.504253675.00000000018F0000.00000002.00000001.sdmp, outlook.exe, 00000016.00000002.502684561.0000000001840000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Users\user\Desktop\TRENWATR.EXE VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Users\user\Desktop\TRENWATR.EXE VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Users\user\AppData\Roaming\outlook\outlook.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Users\user\AppData\Roaming\outlook\outlook.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Users\user\AppData\Roaming\outlook\outlook.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Users\user\AppData\Roaming\outlook\outlook.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\TRENWATR.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000005.00000002.495941887.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.375859880.000000000429C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.496146481.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.377800877.0000000002901000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.376120241.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.260543683.0000000003EEC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.261068565.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.376980132.00000000044A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.363998493.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.361897576.0000000003E9C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.513517765.00000000030FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TRENWATR.EXE PID: 1048, type: MEMORY
Source: Yara match	File source: Process Memory Space: outlook.exe PID: 7012, type: MEMORY
Source: Yara match	File source: Process Memory Space: outlook.exe PID: 6696, type: MEMORY
Source: Yara match	File source: Process Memory Space: outlook.exe PID: 6904, type: MEMORY
Source: Yara match	File source: Process Memory Space: TRENWATR.EXE PID: 3336, type: MEMORY
Source: Yara match	File source: Process Memory Space: outlook.exe PID: 6944, type: MEMORY
Source: Yara match	File source: 0.2.TRENWATR.EXE.3ff53d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.outlook.exe.44d1fe8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.outlook.exe.40d1fe8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.outlook.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.outlook.exe.3fa53d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.outlook.exe.43a53d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TRENWATR.EXE.3ff53d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.outlook.exe.3fa53d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.outlook.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TRENWATR.EXE.4121fe8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.TRENWATR.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.outlook.exe.43a53d8.3.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\TRENWATR.EXE

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\TRENWATR.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\TRENWATR.EXE	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\TRENWATR.EXE	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000015.00000002.377800877.0000000002901000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.506281676.0000000002E81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: outlook.exe PID: 7012, type: MEMORY
Source: Yara match	File source: Process Memory Space: TRENWATR.EXE PID: 3336, type: MEMORY
Source: Yara match	File source: Process Memory Space: outlook.exe PID: 6944, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000005.00000002.495941887.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.375859880.000000000429C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.496146481.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.377800877.0000000002901000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.376120241.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.260543683.0000000003EEC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.261068565.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.376980132.00000000044A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.363998493.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.361897576.0000000003E9C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.513517765.00000000030FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TRENWATR.EXE PID: 1048, type: MEMORY
Source: Yara match	File source: Process Memory Space: outlook.exe PID: 7012, type: MEMORY
Source: Yara match	File source: Process Memory Space: outlook.exe PID: 6696, type: MEMORY
Source: Yara match	File source: Process Memory Space: outlook.exe PID: 6904, type: MEMORY
Source: Yara match	File source: Process Memory Space: TRENWATR.EXE PID: 3336, type: MEMORY
Source: Yara match	File source: Process Memory Space: outlook.exe PID: 6944, type: MEMORY
Source: Yara match	File source: 0.2.TRENWATR.EXE.3ff53d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.outlook.exe.44d1fe8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.outlook.exe.40d1fe8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.outlook.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.outlook.exe.3fa53d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.outlook.exe.43a53d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TRENWATR.EXE.3ff53d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.outlook.exe.3fa53d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.outlook.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TRENWATR.EXE.4121fe8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.TRENWATR.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.outlook.exe.43a53d8.3.raw.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Found malware configuration

Source: 21.2.outlook.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "datastore1840@yandex.comopjis0123smtp.yandex.com"}

Multi AV Scanner detection for submitted file

Source: TRENWATR.EXE	Virustotal: Detection: 16%			Perma Link
Source: TRENWATR.EXE	ReversingLabs: Detection: 14%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: TRENWATR.EXE

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 21.2.outlook.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 22.2.outlook.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.2.TRENWATR.EXE.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: TRENWATR.EXE

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: TRENWATR.EXE

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02E47A00
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02E49127
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02E49128
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02E479FF
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	18_2_013B8440
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	18_2_013B9960
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	18_2_013B9950
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	18_2_013B842F
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	20_2_031D8440
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	20_2_031D9950
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	20_2_031D9960
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	20_2_031D842F
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	20_2_031D84F4

Source: TRENWATR.EXE, 00000005.00000002.506281676.0000000002E81000.00000004.00000001.sdmp, outlook.exe, 00000015.00000002.377800877.0000000002901000.00000004.00000001.sdmp, outlook.exe, 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: outlook.exe, 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: outlook.exe, 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmp	String found in binary or memory: http://JaIZBT.com
Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmp	String found in binary or memory: http://crl.certum.pl/ca.crl0h
Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmp	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmp	String found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.236572064.0000000005F3B000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.235975296.0000000005F3B000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmp	String found in binary or memory: http://repository.certum.pl/ca.cer09
Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmp	String found in binary or memory: http://repository.certum.pl/ycasha2.cer0
Source: TRENWATR.EXE, 00000000.00000002.259743735.0000000002EE1000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360749670.0000000002EE9000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360529730.0000000002E91000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374700347.00000000032EB000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374363731.0000000003291000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: outlook.exe, 00000012.00000002.360749670.0000000002EE9000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374700347.00000000032EB000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
Source: TRENWATR.EXE, 00000005.00000002.513816109.0000000003135000.00000004.00000001.sdmp	String found in binary or memory: http://smtp.yandex.com
Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmp	String found in binary or memory: http://subca.ocsp-certum.com0.
Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmp	String found in binary or memory: http://subca.ocsp-certum.com01
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: TRENWATR.EXE, 00000000.00000003.239865090.0000000005F44000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: TRENWATR.EXE, 00000000.00000003.240042629.0000000005F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlzi
Source: TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: TRENWATR.EXE, 00000000.00000003.238291911.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com8
Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comC
Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comD
Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comMic
Source: TRENWATR.EXE, 00000000.00000003.238264721.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comV
Source: TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comY
Source: TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comand
Source: TRENWATR.EXE, 00000000.00000003.238264721.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comelpLm
Source: TRENWATR.EXE, 00000000.00000003.238587043.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comes
Source: TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comi
Source: TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comits
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.compe
Source: TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.compef
Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comperN
Source: TRENWATR.EXE, 00000000.00000003.238264721.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comrh
Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comsign
Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comtig
Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comto
Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmp	String found in binary or memory: http://www.certum.pl/CPS0
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: TRENWATR.EXE, 00000000.00000003.248532139.0000000005F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers&c
Source: TRENWATR.EXE, 00000000.00000003.241642807.0000000005F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: TRENWATR.EXE, 00000000.00000003.242859092.0000000005F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: TRENWATR.EXE, 00000000.00000003.242859092.0000000005F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlt
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.242503896.0000000005F47000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: TRENWATR.EXE, 00000000.00000003.242301739.0000000005F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlX
Source: TRENWATR.EXE, 00000000.00000003.242105483.0000000005F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers0c.
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: TRENWATR.EXE, 00000000.00000003.241695306.0000000005F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersZ
Source: TRENWATR.EXE, 00000000.00000002.259515653.0000000001717000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comB.TTFG
Source: TRENWATR.EXE, 00000000.00000002.259515653.0000000001717000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: TRENWATR.EXE, 00000000.00000002.259515653.0000000001717000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: TRENWATR.EXE, 00000000.00000003.237832318.0000000005F53000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.237698757.0000000005F47000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: TRENWATR.EXE, 00000000.00000003.237832318.0000000005F53000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn$RZ
Source: TRENWATR.EXE, 00000000.00000003.237913831.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: TRENWATR.EXE, 00000000.00000003.237832318.0000000005F53000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnq
Source: TRENWATR.EXE, 00000000.00000003.244974147.0000000005F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: TRENWATR.EXE, 00000000.00000003.245675829.0000000005F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmhi
Source: TRENWATR.EXE, 00000000.00000003.248272029.0000000005F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmtr-tr
Source: TRENWATR.EXE, 00000000.00000003.244974147.0000000005F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/xM
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: TRENWATR.EXE, 00000000.00000003.241477321.0000000005F47000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.241231274.0000000005F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: TRENWATR.EXE, 00000000.00000003.234896317.0000000005F3B000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: TRENWATR.EXE, 00000000.00000003.234896317.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comd
Source: TRENWATR.EXE, 00000000.00000003.234896317.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comx
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: TRENWATR.EXE, 00000000.00000003.237176182.0000000005F3B000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: TRENWATR.EXE, 00000000.00000003.237176182.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kra-d&u
Source: TRENWATR.EXE, 00000000.00000003.237176182.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krony
Source: outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: TRENWATR.EXE, 00000000.00000003.237954503.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com#gO
Source: TRENWATR.EXE, 00000000.00000003.237977092.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comT
Source: TRENWATR.EXE, 00000000.00000003.236231153.0000000005F3B000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.236015819.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.net
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: TRENWATR.EXE, 00000000.00000003.236015819.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netL.TTFOq
Source: TRENWATR.EXE, 00000000.00000003.236231153.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netcreen
Source: TRENWATR.EXE, 00000000.00000003.236231153.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netliqueFq
Source: TRENWATR.EXE, 00000000.00000003.236231153.0000000005F3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netor
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmp	String found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmp	String found in binary or memory: http://yandex.ocsp-responder.com03
Source: TRENWATR.EXE, 00000005.00000002.506281676.0000000002E81000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: outlook.exe, 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: outlook.exe, outlook.exe, 00000014.00000002.370585135.0000000000EB2000.00000002.00020000.sdmp, outlook.exe, 00000015.00000002.376295024.00000000005B2000.00000002.00020000.sdmp, outlook.exe, 00000016.00000000.368954462.0000000000AB2000.00000002.00020000.sdmp, TRENWATR.EXE	String found in binary or memory: https://dist.nuget.org/win-x86-commandline/latest/nuget.exe
Source: outlook.exe, outlook.exe, 00000015.00000002.376295024.00000000005B2000.00000002.00020000.sdmp, outlook.exe, 00000016.00000000.368954462.0000000000AB2000.00000002.00020000.sdmp, TRENWATR.EXE	String found in binary or memory: https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zip
Source: outlook.exe, outlook.exe, 00000014.00000002.370585135.0000000000EB2000.00000002.00020000.sdmp, outlook.exe, 00000015.00000002.376295024.00000000005B2000.00000002.00020000.sdmp, outlook.exe, 00000016.00000000.368954462.0000000000AB2000.00000002.00020000.sdmp, TRENWATR.EXE	String found in binary or memory: https://github.com/d-haxton/HaxtonBot/archive/master.zip
Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmp	String found in binary or memory: https://www.certum.pl/CPS0
Source: TRENWATR.EXE, 00000000.00000002.260543683.0000000003EEC000.00000004.00000001.sdmp, TRENWATR.EXE, 00000005.00000002.495941887.0000000000402000.00000040.00000001.sdmp, outlook.exe, 00000012.00000002.361897576.0000000003E9C000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.375859880.000000000429C000.00000004.00000001.sdmp, outlook.exe, 00000015.00000002.376120241.0000000000402000.00000040.00000001.sdmp, outlook.exe, 00000016.00000002.496146481.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: TRENWATR.EXE, 00000005.00000002.506281676.0000000002E81000.00000004.00000001.sdmp, outlook.exe, 00000015.00000002.377800877.0000000002901000.00000004.00000001.sdmp, outlook.exe, 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: TRENWATR.EXE, 00000005.00000002.506281676.0000000002E81000.00000004.00000001.sdmp, TRENWATR.EXE, 00000005.00000002.513517765.00000000030FF000.00000004.00000001.sdmp, TRENWATR.EXE, 00000005.00000002.513965089.0000000003159000.00000004.00000001.sdmp	String found in binary or memory: https://yOXP6NtnFAR44DUBv.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: outlook.exe, 00000012.00000002.358907457.00000000011AB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

.NET source code contains very large array initializations

Source: 5.2.TRENWATR.EXE.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b6D4ECB85u002d43B1u002d4D40u002d9D23u002d56D2949191A7u007d/D248AEB2u002dB262u002d410Eu002dB587u002dCA91D7E33B16.cs

Large array initialization: .cctor: array initializer size 11927

Contains functionality to call native functions

Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe

Code function: 20_2_074F573C NtQueryInformationProcess,

20_2_074F573C

Detected potential crypto function

Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_00AB2050	0_2_00AB2050
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_0170DCF4	0_2_0170DCF4
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_0170C3A0	0_2_0170C3A0
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_0170E218	0_2_0170E218
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_0170A748	0_2_0170A748
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E48268	0_2_02E48268
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E407E8	0_2_02E407E8
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E45A40	0_2_02E45A40
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E42368	0_2_02E42368
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E42358	0_2_02E42358
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E40040	0_2_02E40040
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E40006	0_2_02E40006
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E45680	0_2_02E45680
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E41660	0_2_02E41660
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E4567F	0_2_02E4567F
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E41650	0_2_02E41650
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E407D9	0_2_02E407D9
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E45A30	0_2_02E45A30
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E42820	0_2_02E42820
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E42830	0_2_02E42830
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_00982050	5_2_00982050
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_00984842	5_2_00984842
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_00984793	5_2_00984793
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_011D46A0	5_2_011D46A0
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_011D35C4	5_2_011D35C4
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_011D45D0	5_2_011D45D0
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_011D4690	5_2_011D4690
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_011D5391	5_2_011D5391
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_011DD980	5_2_011DD980
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_01379150	5_2_01379150
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_013705E8	5_2_013705E8
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_0137B5C0	5_2_0137B5C0
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_01373C00	5_2_01373C00
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_01370D80	5_2_01370D80
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_0137F4D0	5_2_0137F4D0
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_01376F70	5_2_01376F70
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_01370E20	5_2_01370E20
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_00922050	18_2_00922050
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_00924842	18_2_00924842
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_00924793	18_2_00924793
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B5A40	18_2_013B5A40
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B8C40	18_2_013B8C40
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B07DB	18_2_013B07DB
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B003B	18_2_013B003B
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B2830	18_2_013B2830
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B2820	18_2_013B2820
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B0040	18_2_013B0040
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B2368	18_2_013B2368
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B2358	18_2_013B2358
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B5A30	18_2_013B5A30
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B5C66	18_2_013B5C66
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B5CAF	18_2_013B5CAF
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B5CA3	18_2_013B5CA3
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B5671	18_2_013B5671
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B1660	18_2_013B1660
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B1653	18_2_013B1653
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B5680	18_2_013B5680
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_0147DCF4	18_2_0147DCF4
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_0147C148	18_2_0147C148
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_0147E223	18_2_0147E223
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_0147A748	18_2_0147A748
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_02D743DC	18_2_02D743DC
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_02D77970	18_2_02D77970
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_00EB4842	20_2_00EB4842
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_00EB2050	20_2_00EB2050
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_00EB4793	20_2_00EB4793
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D5A40	20_2_031D5A40
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D07E8	20_2_031D07E8
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D8C40	20_2_031D8C40
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D2358	20_2_031D2358
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D2368	20_2_031D2368
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D5A30	20_2_031D5A30
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D0006	20_2_031D0006
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D2830	20_2_031D2830
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D2820	20_2_031D2820
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D0040	20_2_031D0040
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D0747	20_2_031D0747
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D07D8	20_2_031D07D8
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D1653	20_2_031D1653
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D5671	20_2_031D5671
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D1660	20_2_031D1660
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D5680	20_2_031D5680
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D5C66	20_2_031D5C66
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D5CAF	20_2_031D5CAF
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D5CA3	20_2_031D5CA3
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_032694A8	20_2_032694A8
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_0326DCF4	20_2_0326DCF4
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_0326C3A0	20_2_0326C3A0
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_0326E218	20_2_0326E218
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_0326A748	20_2_0326A748
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F8780	20_2_074F8780
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F6688	20_2_074F6688
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074FE348	20_2_074FE348
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F6EA0	20_2_074F6EA0
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F3C78	20_2_074F3C78
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F5AE0	20_2_074F5AE0
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F78D0	20_2_074F78D0
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F3888	20_2_074F3888
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F872A	20_2_074F872A
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F873F	20_2_074F873F
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F864D	20_2_074F864D
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F664A	20_2_074F664A
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F6615	20_2_074F6615
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074FE630	20_2_074FE630
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F65E0	20_2_074F65E0
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074FF378	20_2_074FF378
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074FA240	20_2_074FA240
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074FA250	20_2_074FA250
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F6E90	20_2_074F6E90
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074FAD01	20_2_074FAD01
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074FAD10	20_2_074FAD10
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F5AD0	20_2_074F5AD0
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074FAA88	20_2_074FAA88
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074FAA98	20_2_074FAA98
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074FB99A	20_2_074FB99A
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074FB9A0	20_2_074FB9A0
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F3878	20_2_074F3878
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074F78C0	20_2_074F78C0
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074FA898	20_2_074FA898
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_074FA8A8	20_2_074FA8A8

PE file contains strange resources

Source: TRENWATR.EXE	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: outlook.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: TRENWATR.EXE, 00000000.00000002.259743735.0000000002EE1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll2 vs TRENWATR.EXE
Source: TRENWATR.EXE, 00000000.00000002.270090172.0000000007510000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll" vs TRENWATR.EXE
Source: TRENWATR.EXE, 00000000.00000000.232150888.0000000000B68000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameEnumSByteTypeInfo.exeD vs TRENWATR.EXE
Source: TRENWATR.EXE, 00000000.00000002.259842280.0000000002F2E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameXClcfvohVHtCAIPGfwbTlOxbHZPR.exe4 vs TRENWATR.EXE
Source: TRENWATR.EXE, 00000005.00000002.495941887.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameXClcfvohVHtCAIPGfwbTlOxbHZPR.exe4 vs TRENWATR.EXE
Source: TRENWATR.EXE, 00000005.00000002.498707080.0000000000A38000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameEnumSByteTypeInfo.exeD vs TRENWATR.EXE
Source: TRENWATR.EXE, 00000005.00000002.506052290.0000000002E60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs TRENWATR.EXE
Source: TRENWATR.EXE, 00000005.00000002.518540002.0000000006430000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs TRENWATR.EXE
Source: TRENWATR.EXE, 00000005.00000002.499094834.0000000000BF8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs TRENWATR.EXE
Source: TRENWATR.EXE	Binary or memory string: OriginalFilenameEnumSByteTypeInfo.exeD vs TRENWATR.EXE

Uses 32bit PE files

Source: TRENWATR.EXE

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: TRENWATR.EXE	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: outlook.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 5.2.TRENWATR.EXE.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.TRENWATR.EXE.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/4@0/0

Source: C:\Users\user\Desktop\TRENWATR.EXE

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TRENWATR.EXE.log

Jump to behavior

Source: TRENWATR.EXE

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\TRENWATR.EXE	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\TRENWATR.EXE	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\TRENWATR.EXE	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\TRENWATR.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: TRENWATR.EXE	Virustotal: Detection: 16%
Source: TRENWATR.EXE	ReversingLabs: Detection: 14%

Source: C:\Users\user\Desktop\TRENWATR.EXE

File read: C:\Users\user\Desktop\TRENWATR.EXE

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TRENWATR.EXE 'C:\Users\user\Desktop\TRENWATR.EXE'
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process created: C:\Users\user\Desktop\TRENWATR.EXE C:\Users\user\Desktop\TRENWATR.EXE
Source: unknown	Process created: C:\Users\user\AppData\Roaming\outlook\outlook.exe 'C:\Users\user\AppData\Roaming\outlook\outlook.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\outlook\outlook.exe 'C:\Users\user\AppData\Roaming\outlook\outlook.exe'
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process created: C:\Users\user\AppData\Roaming\outlook\outlook.exe C:\Users\user\AppData\Roaming\outlook\outlook.exe
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process created: C:\Users\user\AppData\Roaming\outlook\outlook.exe C:\Users\user\AppData\Roaming\outlook\outlook.exe
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process created: C:\Users\user\Desktop\TRENWATR.EXE C:\Users\user\Desktop\TRENWATR.EXE	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process created: C:\Users\user\AppData\Roaming\outlook\outlook.exe C:\Users\user\AppData\Roaming\outlook\outlook.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process created: C:\Users\user\AppData\Roaming\outlook\outlook.exe C:\Users\user\AppData\Roaming\outlook\outlook.exe	Jump to behavior

Source: C:\Users\user\Desktop\TRENWATR.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\TRENWATR.EXE

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\TRENWATR.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: TRENWATR.EXE

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: TRENWATR.EXE

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_00AC851B push dword ptr [esi+3Fh]; iretd	0_2_00AC852D
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_00AB5683 push es; retf	0_2_00AB5684
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E40587 push ss; ret	0_2_02E40593
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 0_2_02E40595 push ss; ret	0_2_02E4059A
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_0099851B push dword ptr [esi+3Fh]; iretd	5_2_0099852D
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_00985683 push es; retf	5_2_00985684
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_00999287 push FFFFFFD9h; iretd	5_2_009992A4
Source: C:\Users\user\Desktop\TRENWATR.EXE	Code function: 5_2_0112D95C push eax; ret	5_2_0112D95D
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_0093851B push dword ptr [esi+3Fh]; iretd	18_2_0093852D
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_00925683 push es; retf	18_2_00925684
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_00939287 push FFFFFFD9h; iretd	18_2_009392A4
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B0595 push ss; ret	18_2_013B059A
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_013B0587 push ss; ret	18_2_013B0593
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_0147A728 pushfd ; retf	18_2_0147B072
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_0147446F push edi; retf 0002h	18_2_01474482
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_0147AF71 pushfd ; retf	18_2_0147AF72
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_0147AF20 pushfd ; retf	18_2_0147AF22
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_0147AF28 pushfd ; retf	18_2_0147AF2A
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_0147AED1 pushfd ; retf	18_2_0147AED2
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 18_2_01473768 push eax; retf	18_2_01473769
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_00EC851B push dword ptr [esi+3Fh]; iretd	20_2_00EC852D
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_00EB5683 push es; retf	20_2_00EB5684
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_00EC9287 push FFFFFFD9h; iretd	20_2_00EC92A4
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D0595 push ss; ret	20_2_031D059A
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Code function: 20_2_031D0587 push ss; ret	20_2_031D0593

Source: initial sample	Static PE information: section name: .text entropy: 7.54897918265
Source: initial sample	Static PE information: section name: .text entropy: 7.54897918265

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\TRENWATR.EXE

File created: C:\Users\user\AppData\Roaming\outlook\outlook.exe

Jump to dropped file

Source: C:\Users\user\Desktop\TRENWATR.EXE	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run outlook			Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run outlook			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\TRENWATR.EXE

File opened: C:\Users\user\AppData\Roaming\outlook\outlook.exe:Zone.Identifier read attributes | delete

Jump to behavior

Moves itself to temp directory

Source: c:\users\user\desktop\trenwatr.exe

File moved: C:\Users\user\AppData\Local\Temp\tmpG481.tmp

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\TRENWATR.EXE

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TRENWATR.EXE PID: 1048, type: MEMORY
Source: Yara match	File source: Process Memory Space: outlook.exe PID: 6696, type: MEMORY
Source: Yara match	File source: Process Memory Space: outlook.exe PID: 6904, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\TRENWATR.EXE	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\TRENWATR.EXE	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\TRENWATR.EXE	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\TRENWATR.EXE	Window / User API: threadDelayed 3681	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Window / User API: threadDelayed 6160	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Window / User API: threadDelayed 4487	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Window / User API: threadDelayed 5341	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\TRENWATR.EXE TID: 5532	Thread sleep time: -103548s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE TID: 2968	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE TID: 4092	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE TID: 3612	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE TID: 3392	Thread sleep count: 3681 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE TID: 3392	Thread sleep count: 6160 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 6700	Thread sleep time: -100745s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 6748	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 6920	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 6908	Thread sleep time: -100818s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 6932	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 3276	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 3276	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 608	Thread sleep count: 4487 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 608	Thread sleep count: 5341 > 30	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\TRENWATR.EXE	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\TRENWATR.EXE	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\TRENWATR.EXE	Thread delayed: delay time: 103548	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Thread delayed: delay time: 100745	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Thread delayed: delay time: 100818	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\TRENWATR.EXE

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\TRENWATR.EXE

Code function: 5_2_0137ACA8 LdrInitializeThunk,

5_2_0137ACA8

Enables debug privileges

Source: C:\Users\user\Desktop\TRENWATR.EXE	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\TRENWATR.EXE

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\TRENWATR.EXE	Memory written: C:\Users\user\Desktop\TRENWATR.EXE base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Memory written: C:\Users\user\AppData\Roaming\outlook\outlook.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Memory written: C:\Users\user\AppData\Roaming\outlook\outlook.exe base: 400000 value starts with: 4D5A	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\TRENWATR.EXE	Process created: C:\Users\user\Desktop\TRENWATR.EXE C:\Users\user\Desktop\TRENWATR.EXE	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process created: C:\Users\user\AppData\Roaming\outlook\outlook.exe C:\Users\user\AppData\Roaming\outlook\outlook.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Process created: C:\Users\user\AppData\Roaming\outlook\outlook.exe C:\Users\user\AppData\Roaming\outlook\outlook.exe	Jump to behavior

Source: TRENWATR.EXE, 00000005.00000002.504253675.00000000018F0000.00000002.00000001.sdmp, outlook.exe, 00000016.00000002.502684561.0000000001840000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: TRENWATR.EXE, 00000005.00000002.504253675.00000000018F0000.00000002.00000001.sdmp, outlook.exe, 00000016.00000002.502684561.0000000001840000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: TRENWATR.EXE, 00000005.00000002.504253675.00000000018F0000.00000002.00000001.sdmp, outlook.exe, 00000016.00000002.502684561.0000000001840000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: TRENWATR.EXE, 00000005.00000002.504253675.00000000018F0000.00000002.00000001.sdmp, outlook.exe, 00000016.00000002.502684561.0000000001840000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Users\user\Desktop\TRENWATR.EXE VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Users\user\Desktop\TRENWATR.EXE VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Users\user\AppData\Roaming\outlook\outlook.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Users\user\AppData\Roaming\outlook\outlook.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Users\user\AppData\Roaming\outlook\outlook.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Users\user\AppData\Roaming\outlook\outlook.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\TRENWATR.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000005.00000002.495941887.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.375859880.000000000429C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.496146481.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.377800877.0000000002901000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.376120241.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.260543683.0000000003EEC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.261068565.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.376980132.00000000044A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.363998493.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.361897576.0000000003E9C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.513517765.00000000030FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TRENWATR.EXE PID: 1048, type: MEMORY
Source: Yara match	File source: Process Memory Space: outlook.exe PID: 7012, type: MEMORY
Source: Yara match	File source: Process Memory Space: outlook.exe PID: 6696, type: MEMORY
Source: Yara match	File source: Process Memory Space: outlook.exe PID: 6904, type: MEMORY
Source: Yara match	File source: Process Memory Space: TRENWATR.EXE PID: 3336, type: MEMORY
Source: Yara match	File source: Process Memory Space: outlook.exe PID: 6944, type: MEMORY
Source: Yara match	File source: 0.2.TRENWATR.EXE.3ff53d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.outlook.exe.44d1fe8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.outlook.exe.40d1fe8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.outlook.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.outlook.exe.3fa53d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.outlook.exe.43a53d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TRENWATR.EXE.3ff53d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.outlook.exe.3fa53d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.outlook.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TRENWATR.EXE.4121fe8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.TRENWATR.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.outlook.exe.43a53d8.3.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\TRENWATR.EXE

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\TRENWATR.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\TRENWATR.EXE	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\TRENWATR.EXE	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\TRENWATR.EXE	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000015.00000002.377800877.0000000002901000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.506281676.0000000002E81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: outlook.exe PID: 7012, type: MEMORY
Source: Yara match	File source: Process Memory Space: TRENWATR.EXE PID: 3336, type: MEMORY
Source: Yara match	File source: Process Memory Space: outlook.exe PID: 6944, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000005.00000002.495941887.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.375859880.000000000429C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.496146481.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.377800877.0000000002901000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.376120241.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.260543683.0000000003EEC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.261068565.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.376980132.00000000044A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.363998493.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.361897576.0000000003E9C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.513517765.00000000030FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TRENWATR.EXE PID: 1048, type: MEMORY
Source: Yara match	File source: Process Memory Space: outlook.exe PID: 7012, type: MEMORY
Source: Yara match	File source: Process Memory Space: outlook.exe PID: 6696, type: MEMORY
Source: Yara match	File source: Process Memory Space: outlook.exe PID: 6904, type: MEMORY
Source: Yara match	File source: Process Memory Space: TRENWATR.EXE PID: 3336, type: MEMORY
Source: Yara match	File source: Process Memory Space: outlook.exe PID: 6944, type: MEMORY
Source: Yara match	File source: 0.2.TRENWATR.EXE.3ff53d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.outlook.exe.44d1fe8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.outlook.exe.40d1fe8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.outlook.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.outlook.exe.3fa53d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.outlook.exe.43a53d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TRENWATR.EXE.3ff53d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.outlook.exe.3fa53d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.outlook.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TRENWATR.EXE.4121fe8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.TRENWATR.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.outlook.exe.43a53d8.3.raw.unpack, type: UNPACKEDPE

ID:	383916
Product:	CloudBasic
Start time:	12:22:43
Start date:	08.04.2021
Sample:	TRENWATR.EXE
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	4c8c4125a16387f16558e841a704c718
SHA1:	a550ec500bfa00f45ac799b9e5f4868a30892e23
SHA256:	5aaae83a4b166e0cb4a3a5841c6b92c39c66b2c8dabbe9e304c7865237c9ad5b
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TRENWATR.EXE.log	ASCII text, with CRLF line terminators	1DC1A2DCC9EFAA84EABF4F6D6066565B	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\outlook.exe.log	ASCII text, with CRLF line terminators	1DC1A2DCC9EFAA84EABF4F6D6066565B	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
C:\Users\user\AppData\Roaming\outlook\outlook.exe	Unknown	4C8C4125A16387F16558E841A704C718	A550EC500BFA00F45AC799B9E5F4868A30892E23	5AAAE83A4B166E0CB4A3A5841C6B92C39C66B2C8DABBE9E304C7865237C9AD5B
C:\Users\user\AppData\Roaming\outlook\outlook.exe:Zone.Identifier	Unknown	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Analysis Report TRENWATR.EXE

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map