Loading ...

Play interactive tourEdit tour

Analysis Report TRENWATR.EXE

Overview

General Information

Sample Name:TRENWATR.EXE
Analysis ID:383916
MD5:4c8c4125a16387f16558e841a704c718
SHA1:a550ec500bfa00f45ac799b9e5f4868a30892e23
SHA256:5aaae83a4b166e0cb4a3a5841c6b92c39c66b2c8dabbe9e304c7865237c9ad5b
Tags:AgentTeslaEXE
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • TRENWATR.EXE (PID: 1048 cmdline: 'C:\Users\user\Desktop\TRENWATR.EXE' MD5: 4C8C4125A16387F16558E841A704C718)
    • TRENWATR.EXE (PID: 3336 cmdline: C:\Users\user\Desktop\TRENWATR.EXE MD5: 4C8C4125A16387F16558E841A704C718)
  • outlook.exe (PID: 6696 cmdline: 'C:\Users\user\AppData\Roaming\outlook\outlook.exe' MD5: 4C8C4125A16387F16558E841A704C718)
    • outlook.exe (PID: 6944 cmdline: C:\Users\user\AppData\Roaming\outlook\outlook.exe MD5: 4C8C4125A16387F16558E841A704C718)
  • outlook.exe (PID: 6904 cmdline: 'C:\Users\user\AppData\Roaming\outlook\outlook.exe' MD5: 4C8C4125A16387F16558E841A704C718)
    • outlook.exe (PID: 7012 cmdline: C:\Users\user\AppData\Roaming\outlook\outlook.exe MD5: 4C8C4125A16387F16558E841A704C718)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "datastore1840@yandex.comopjis0123smtp.yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000005.00000002.495941887.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000014.00000002.375859880.000000000429C000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000016.00000002.496146481.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000015.00000002.377800877.0000000002901000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 25 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.TRENWATR.EXE.3ff53d8.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              20.2.outlook.exe.44d1fe8.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                18.2.outlook.exe.40d1fe8.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  21.2.outlook.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    18.2.outlook.exe.3fa53d8.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 7 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 21.2.outlook.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "datastore1840@yandex.comopjis0123smtp.yandex.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: TRENWATR.EXEVirustotal: Detection: 16%Perma Link
                      Source: TRENWATR.EXEReversingLabs: Detection: 14%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: TRENWATR.EXEJoe Sandbox ML: detected
                      Source: 21.2.outlook.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 22.2.outlook.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.2.TRENWATR.EXE.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: TRENWATR.EXEStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: TRENWATR.EXEStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02E47A00
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02E49127
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02E49128
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02E479FF
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h18_2_013B8440
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h18_2_013B9960
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h18_2_013B9950
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h18_2_013B842F
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h20_2_031D8440
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h20_2_031D9950
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h20_2_031D9960
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h20_2_031D842F
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h20_2_031D84F4
                      Source: TRENWATR.EXE, 00000005.00000002.506281676.0000000002E81000.00000004.00000001.sdmp, outlook.exe, 00000015.00000002.377800877.0000000002901000.00000004.00000001.sdmp, outlook.exe, 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: outlook.exe, 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: outlook.exe, 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://JaIZBT.com
                      Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
                      Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                      Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.236572064.0000000005F3B000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.235975296.0000000005F3B000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
                      Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                      Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
                      Source: TRENWATR.EXE, 00000000.00000002.259743735.0000000002EE1000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360749670.0000000002EE9000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360529730.0000000002E91000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374700347.00000000032EB000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374363731.0000000003291000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: outlook.exe, 00000012.00000002.360749670.0000000002EE9000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374700347.00000000032EB000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
                      Source: TRENWATR.EXE, 00000005.00000002.513816109.0000000003135000.00000004.00000001.sdmpString found in binary or memory: http://smtp.yandex.com
                      Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
                      Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: TRENWATR.EXE, 00000000.00000003.239865090.0000000005F44000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                      Source: TRENWATR.EXE, 00000000.00000003.240042629.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlzi
                      Source: TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: TRENWATR.EXE, 00000000.00000003.238291911.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com8
                      Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
                      Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comD
                      Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comMic
                      Source: TRENWATR.EXE, 00000000.00000003.238264721.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comV
                      Source: TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comY
                      Source: TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comand
                      Source: TRENWATR.EXE, 00000000.00000003.238264721.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comelpLm
                      Source: TRENWATR.EXE, 00000000.00000003.238587043.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comes
                      Source: TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comi
                      Source: TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comits
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.compe
                      Source: TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.compef
                      Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comperN
                      Source: TRENWATR.EXE, 00000000.00000003.238264721.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comrh
                      Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comsign
                      Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtig
                      Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comto
                      Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: TRENWATR.EXE, 00000000.00000003.248532139.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers&c
                      Source: TRENWATR.EXE, 00000000.00000003.241642807.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: TRENWATR.EXE, 00000000.00000003.242859092.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: TRENWATR.EXE, 00000000.00000003.242859092.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlt
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.242503896.0000000005F47000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: TRENWATR.EXE, 00000000.00000003.242301739.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlX
                      Source: TRENWATR.EXE, 00000000.00000003.242105483.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers0c.
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: TRENWATR.EXE, 00000000.00000003.241695306.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersZ
                      Source: TRENWATR.EXE, 00000000.00000002.259515653.0000000001717000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comB.TTFG
                      Source: TRENWATR.EXE, 00000000.00000002.259515653.0000000001717000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: TRENWATR.EXE, 00000000.00000002.259515653.0000000001717000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comm
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: TRENWATR.EXE, 00000000.00000003.237832318.0000000005F53000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.237698757.0000000005F47000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: TRENWATR.EXE, 00000000.00000003.237832318.0000000005F53000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn$RZ
                      Source: TRENWATR.EXE, 00000000.00000003.237913831.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: TRENWATR.EXE, 00000000.00000003.237832318.0000000005F53000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnq
                      Source: TRENWATR.EXE, 00000000.00000003.244974147.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: TRENWATR.EXE, 00000000.00000003.245675829.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmhi
                      Source: TRENWATR.EXE, 00000000.00000003.248272029.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmtr-tr
                      Source: TRENWATR.EXE, 00000000.00000003.244974147.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/xM
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: TRENWATR.EXE, 00000000.00000003.241477321.0000000005F47000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.241231274.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                      Source: TRENWATR.EXE, 00000000.00000003.234896317.0000000005F3B000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: TRENWATR.EXE, 00000000.00000003.234896317.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comd
                      Source: TRENWATR.EXE, 00000000.00000003.234896317.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comx
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: TRENWATR.EXE, 00000000.00000003.237176182.0000000005F3B000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: TRENWATR.EXE, 00000000.00000003.237176182.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kra-d&u
                      Source: TRENWATR.EXE, 00000000.00000003.237176182.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krony
                      Source: outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: TRENWATR.EXE, 00000000.00000003.237954503.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com#gO
                      Source: TRENWATR.EXE, 00000000.00000003.237977092.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comT
                      Source: TRENWATR.EXE, 00000000.00000003.236231153.0000000005F3B000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.236015819.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.net
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: TRENWATR.EXE, 00000000.00000003.236015819.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netL.TTFOq
                      Source: TRENWATR.EXE, 00000000.00000003.236231153.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netcreen
                      Source: TRENWATR.EXE, 00000000.00000003.236231153.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netliqueFq
                      Source: TRENWATR.EXE, 00000000.00000003.236231153.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netor
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
                      Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
                      Source: TRENWATR.EXE, 00000005.00000002.506281676.0000000002E81000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: outlook.exe, 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: outlook.exe, outlook.exe, 00000014.00000002.370585135.0000000000EB2000.00000002.00020000.sdmp, outlook.exe, 00000015.00000002.376295024.00000000005B2000.00000002.00020000.sdmp, outlook.exe, 00000016.00000000.368954462.0000000000AB2000.00000002.00020000.sdmp, TRENWATR.EXEString found in binary or memory: https://dist.nuget.org/win-x86-commandline/latest/nuget.exe
                      Source: outlook.exe, outlook.exe, 00000015.00000002.376295024.00000000005B2000.00000002.00020000.sdmp, outlook.exe, 00000016.00000000.368954462.0000000000AB2000.00000002.00020000.sdmp, TRENWATR.EXEString found in binary or memory: https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zip
                      Source: outlook.exe, outlook.exe, 00000014.00000002.370585135.0000000000EB2000.00000002.00020000.sdmp, outlook.exe, 00000015.00000002.376295024.00000000005B2000.00000002.00020000.sdmp, outlook.exe, 00000016.00000000.368954462.0000000000AB2000.00000002.00020000.sdmp, TRENWATR.EXEString found in binary or memory: https://github.com/d-haxton/HaxtonBot/archive/master.zip
                      Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                      Source: TRENWATR.EXE, 00000000.00000002.260543683.0000000003EEC000.00000004.00000001.sdmp, TRENWATR.EXE, 00000005.00000002.495941887.0000000000402000.00000040.00000001.sdmp, outlook.exe, 00000012.00000002.361897576.0000000003E9C000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.375859880.000000000429C000.00000004.00000001.sdmp, outlook.exe, 00000015.00000002.376120241.0000000000402000.00000040.00000001.sdmp, outlook.exe, 00000016.00000002.496146481.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: TRENWATR.EXE, 00000005.00000002.506281676.0000000002E81000.00000004.00000001.sdmp, outlook.exe, 00000015.00000002.377800877.0000000002901000.00000004.00000001.sdmp, outlook.exe, 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: TRENWATR.EXE, 00000005.00000002.506281676.0000000002E81000.00000004.00000001.sdmp, TRENWATR.EXE, 00000005.00000002.513517765.00000000030FF000.00000004.00000001.sdmp, TRENWATR.EXE, 00000005.00000002.513965089.0000000003159000.00000004.00000001.sdmpString found in binary or memory: https://yOXP6NtnFAR44DUBv.com
                      Source: outlook.exe, 00000012.00000002.358907457.00000000011AB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 5.2.TRENWATR.EXE.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b6D4ECB85u002d43B1u002d4D40u002d9D23u002d56D2949191A7u007d/D248AEB2u002dB262u002d410Eu002dB587u002dCA91D7E33B16.csLarge array initialization: .cctor: array initializer size 11927
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F573C NtQueryInformationProcess,20_2_074F573C
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_00AB20500_2_00AB2050
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_0170DCF40_2_0170DCF4
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_0170C3A00_2_0170C3A0
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_0170E2180_2_0170E218
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_0170A7480_2_0170A748
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E482680_2_02E48268
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E407E80_2_02E407E8
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E45A400_2_02E45A40
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E423680_2_02E42368
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E423580_2_02E42358
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E400400_2_02E40040
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E400060_2_02E40006
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E456800_2_02E45680
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E416600_2_02E41660
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E4567F0_2_02E4567F
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E416500_2_02E41650
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E407D90_2_02E407D9
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E45A300_2_02E45A30
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E428200_2_02E42820
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E428300_2_02E42830
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_009820505_2_00982050
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_009848425_2_00984842
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_009847935_2_00984793
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_011D46A05_2_011D46A0
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_011D35C45_2_011D35C4
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_011D45D05_2_011D45D0
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_011D46905_2_011D4690
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_011D53915_2_011D5391
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_011DD9805_2_011DD980
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_013791505_2_01379150
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_013705E85_2_013705E8
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_0137B5C05_2_0137B5C0
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_01373C005_2_01373C00
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_01370D805_2_01370D80
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_0137F4D05_2_0137F4D0
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_01376F705_2_01376F70
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_01370E205_2_01370E20
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_0092205018_2_00922050
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_0092484218_2_00924842
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_0092479318_2_00924793
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B5A4018_2_013B5A40
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B8C4018_2_013B8C40
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B07DB18_2_013B07DB
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B003B18_2_013B003B
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B283018_2_013B2830
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B282018_2_013B2820
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B004018_2_013B0040
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B236818_2_013B2368
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B235818_2_013B2358
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B5A3018_2_013B5A30
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B5C6618_2_013B5C66
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B5CAF18_2_013B5CAF
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B5CA318_2_013B5CA3
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B567118_2_013B5671
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B166018_2_013B1660
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B165318_2_013B1653
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B568018_2_013B5680
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_0147DCF418_2_0147DCF4
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_0147C14818_2_0147C148
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_0147E22318_2_0147E223
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_0147A74818_2_0147A748
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_02D743DC18_2_02D743DC
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_02D7797018_2_02D77970
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_00EB484220_2_00EB4842
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_00EB205020_2_00EB2050
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_00EB479320_2_00EB4793
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D5A4020_2_031D5A40
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D07E820_2_031D07E8
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D8C4020_2_031D8C40
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D235820_2_031D2358
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D236820_2_031D2368
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D5A3020_2_031D5A30
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D000620_2_031D0006
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D283020_2_031D2830
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D282020_2_031D2820
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D004020_2_031D0040
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D074720_2_031D0747
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D07D820_2_031D07D8
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D165320_2_031D1653
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D567120_2_031D5671
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D166020_2_031D1660
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D568020_2_031D5680
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D5C6620_2_031D5C66
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D5CAF20_2_031D5CAF
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D5CA320_2_031D5CA3
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_032694A820_2_032694A8
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_0326DCF420_2_0326DCF4
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_0326C3A020_2_0326C3A0
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_0326E21820_2_0326E218
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_0326A74820_2_0326A748
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F878020_2_074F8780
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F668820_2_074F6688
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074FE34820_2_074FE348
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F6EA020_2_074F6EA0
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F3C7820_2_074F3C78
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F5AE020_2_074F5AE0
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F78D020_2_074F78D0
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F388820_2_074F3888
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F872A20_2_074F872A
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F873F20_2_074F873F
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F864D20_2_074F864D
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F664A20_2_074F664A
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F661520_2_074F6615
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074FE63020_2_074FE630
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F65E020_2_074F65E0
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074FF37820_2_074FF378
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074FA24020_2_074FA240
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074FA25020_2_074FA250
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F6E9020_2_074F6E90
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074FAD0120_2_074FAD01
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074FAD1020_2_074FAD10
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F5AD020_2_074F5AD0
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074FAA8820_2_074FAA88
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074FAA9820_2_074FAA98
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074FB99A20_2_074FB99A
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074FB9A020_2_074FB9A0
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F387820_2_074F3878
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F78C020_2_074F78C0
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074FA89820_2_074FA898
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074FA8A820_2_074FA8A8
                      Source: TRENWATR.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: outlook.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: TRENWATR.EXE, 00000000.00000002.259743735.0000000002EE1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs TRENWATR.EXE
                      Source: TRENWATR.EXE, 00000000.00000002.270090172.0000000007510000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs TRENWATR.EXE
                      Source: TRENWATR.EXE, 00000000.00000000.232150888.0000000000B68000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEnumSByteTypeInfo.exeD vs TRENWATR.EXE
                      Source: TRENWATR.EXE, 00000000.00000002.259842280.0000000002F2E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXClcfvohVHtCAIPGfwbTlOxbHZPR.exe4 vs TRENWATR.EXE
                      Source: TRENWATR.EXE, 00000005.00000002.495941887.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameXClcfvohVHtCAIPGfwbTlOxbHZPR.exe4 vs TRENWATR.EXE
                      Source: TRENWATR.EXE, 00000005.00000002.498707080.0000000000A38000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEnumSByteTypeInfo.exeD vs TRENWATR.EXE
                      Source: TRENWATR.EXE, 00000005.00000002.506052290.0000000002E60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs TRENWATR.EXE
                      Source: TRENWATR.EXE, 00000005.00000002.518540002.0000000006430000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs TRENWATR.EXE
                      Source: TRENWATR.EXE, 00000005.00000002.499094834.0000000000BF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs TRENWATR.EXE
                      Source: TRENWATR.EXEBinary or memory string: OriginalFilenameEnumSByteTypeInfo.exeD vs TRENWATR.EXE
                      Source: TRENWATR.EXEStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: TRENWATR.EXEStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: outlook.exe.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 5.2.TRENWATR.EXE.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.2.TRENWATR.EXE.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/4@0/0
                      Source: C:\Users\user\Desktop\TRENWATR.EXEFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TRENWATR.EXE.logJump to behavior
                      Source: TRENWATR.EXEStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\TRENWATR.EXESection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXESection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\TRENWATR.EXEWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\TRENWATR.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
                      Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                      Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
                      Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: TRENWATR.EXEVirustotal: Detection: 16%
                      Source: TRENWATR.EXEReversingLabs: Detection: 14%
                      Source: C:\Users\user\Desktop\TRENWATR.EXEFile read: C:\Users\user\Desktop\TRENWATR.EXEJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\TRENWATR.EXE 'C:\Users\user\Desktop\TRENWATR.EXE'
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess created: C:\Users\user\Desktop\TRENWATR.EXE C:\Users\user\Desktop\TRENWATR.EXE
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\outlook\outlook.exe 'C:\Users\user\AppData\Roaming\outlook\outlook.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\outlook\outlook.exe 'C:\Users\user\AppData\Roaming\outlook\outlook.exe'
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess created: C:\Users\user\AppData\Roaming\outlook\outlook.exe C:\Users\user\AppData\Roaming\outlook\outlook.exe
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess created: C:\Users\user\AppData\Roaming\outlook\outlook.exe C:\Users\user\AppData\Roaming\outlook\outlook.exe
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess created: C:\Users\user\Desktop\TRENWATR.EXE C:\Users\user\Desktop\TRENWATR.EXEJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess created: C:\Users\user\AppData\Roaming\outlook\outlook.exe C:\Users\user\AppData\Roaming\outlook\outlook.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess created: C:\Users\user\AppData\Roaming\outlook\outlook.exe C:\Users\user\AppData\Roaming\outlook\outlook.exeJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\TRENWATR.EXEFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: TRENWATR.EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: TRENWATR.EXEStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_00AC851B push dword ptr [esi+3Fh]; iretd 0_2_00AC852D
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_00AB5683 push es; retf 0_2_00AB5684
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E40587 push ss; ret 0_2_02E40593
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E40595 push ss; ret 0_2_02E4059A
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_0099851B push dword ptr [esi+3Fh]; iretd 5_2_0099852D
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_00985683 push es; retf 5_2_00985684
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_00999287 push FFFFFFD9h; iretd 5_2_009992A4
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_0112D95C push eax; ret 5_2_0112D95D
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_0093851B push dword ptr [esi+3Fh]; iretd 18_2_0093852D
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_00925683 push es; retf 18_2_00925684
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_00939287 push FFFFFFD9h; iretd 18_2_009392A4
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B0595 push ss; ret 18_2_013B059A
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B0587 push ss; ret 18_2_013B0593
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_0147A728 pushfd ; retf 18_2_0147B072
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_0147446F push edi; retf 0002h18_2_01474482
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_0147AF71 pushfd ; retf 18_2_0147AF72
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_0147AF20 pushfd ; retf 18_2_0147AF22
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_0147AF28 pushfd ; retf 18_2_0147AF2A
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_0147AED1 pushfd ; retf 18_2_0147AED2
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_01473768 push eax; retf 18_2_01473769
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_00EC851B push dword ptr [esi+3Fh]; iretd 20_2_00EC852D
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_00EB5683 push es; retf 20_2_00EB5684
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_00EC9287 push FFFFFFD9h; iretd 20_2_00EC92A4
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D0595 push ss; ret 20_2_031D059A
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D0587 push ss; ret 20_2_031D0593
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.54897918265
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.54897918265
                      Source: C:\Users\user\Desktop\TRENWATR.EXEFile created: C:\Users\user\AppData\Roaming\outlook\outlook.exeJump to dropped file
                      Source: C:\Users\user\Desktop\TRENWATR.EXERegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run outlookJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXERegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run outlookJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\TRENWATR.EXEFile opened: C:\Users\user\AppData\Roaming\outlook\outlook.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Moves itself to temp directoryShow sources
                      Source: c:\users\user\desktop\trenwatr.exeFile moved: C:\Users\user\AppData\Local\Temp\tmpG481.tmpJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXERegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.e