Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report TRENWATR.EXE

Overview

General Information

Sample Name:TRENWATR.EXE
Analysis ID:383916
MD5:4c8c4125a16387f16558e841a704c718
SHA1:a550ec500bfa00f45ac799b9e5f4868a30892e23
SHA256:5aaae83a4b166e0cb4a3a5841c6b92c39c66b2c8dabbe9e304c7865237c9ad5b
Tags:AgentTeslaEXE
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • TRENWATR.EXE (PID: 1048 cmdline: 'C:\Users\user\Desktop\TRENWATR.EXE' MD5: 4C8C4125A16387F16558E841A704C718)
    • TRENWATR.EXE (PID: 3336 cmdline: C:\Users\user\Desktop\TRENWATR.EXE MD5: 4C8C4125A16387F16558E841A704C718)
  • outlook.exe (PID: 6696 cmdline: 'C:\Users\user\AppData\Roaming\outlook\outlook.exe' MD5: 4C8C4125A16387F16558E841A704C718)
    • outlook.exe (PID: 6944 cmdline: C:\Users\user\AppData\Roaming\outlook\outlook.exe MD5: 4C8C4125A16387F16558E841A704C718)
  • outlook.exe (PID: 6904 cmdline: 'C:\Users\user\AppData\Roaming\outlook\outlook.exe' MD5: 4C8C4125A16387F16558E841A704C718)
    • outlook.exe (PID: 7012 cmdline: C:\Users\user\AppData\Roaming\outlook\outlook.exe MD5: 4C8C4125A16387F16558E841A704C718)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "datastore1840@yandex.comopjis0123smtp.yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000005.00000002.495941887.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000014.00000002.375859880.000000000429C000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000016.00000002.496146481.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000015.00000002.377800877.0000000002901000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 25 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.TRENWATR.EXE.3ff53d8.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              20.2.outlook.exe.44d1fe8.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                18.2.outlook.exe.40d1fe8.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  21.2.outlook.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    18.2.outlook.exe.3fa53d8.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 7 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 21.2.outlook.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "datastore1840@yandex.comopjis0123smtp.yandex.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: TRENWATR.EXEVirustotal: Detection: 16%Perma Link
                      Source: TRENWATR.EXEReversingLabs: Detection: 14%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: TRENWATR.EXEJoe Sandbox ML: detected
                      Source: 21.2.outlook.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 22.2.outlook.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.2.TRENWATR.EXE.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: TRENWATR.EXEStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: TRENWATR.EXEStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: TRENWATR.EXE, 00000005.00000002.506281676.0000000002E81000.00000004.00000001.sdmp, outlook.exe, 00000015.00000002.377800877.0000000002901000.00000004.00000001.sdmp, outlook.exe, 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: outlook.exe, 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: outlook.exe, 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://JaIZBT.com
                      Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
                      Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                      Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.236572064.0000000005F3B000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.235975296.0000000005F3B000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
                      Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                      Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
                      Source: TRENWATR.EXE, 00000000.00000002.259743735.0000000002EE1000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360749670.0000000002EE9000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360529730.0000000002E91000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374700347.00000000032EB000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374363731.0000000003291000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: outlook.exe, 00000012.00000002.360749670.0000000002EE9000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374700347.00000000032EB000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
                      Source: TRENWATR.EXE, 00000005.00000002.513816109.0000000003135000.00000004.00000001.sdmpString found in binary or memory: http://smtp.yandex.com
                      Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
                      Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: TRENWATR.EXE, 00000000.00000003.239865090.0000000005F44000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                      Source: TRENWATR.EXE, 00000000.00000003.240042629.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlzi
                      Source: TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: TRENWATR.EXE, 00000000.00000003.238291911.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com8
                      Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
                      Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comD
                      Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comMic
                      Source: TRENWATR.EXE, 00000000.00000003.238264721.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comV
                      Source: TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comY
                      Source: TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comand
                      Source: TRENWATR.EXE, 00000000.00000003.238264721.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comelpLm
                      Source: TRENWATR.EXE, 00000000.00000003.238587043.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comes
                      Source: TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comi
                      Source: TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comits
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.compe
                      Source: TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.compef
                      Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comperN
                      Source: TRENWATR.EXE, 00000000.00000003.238264721.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comrh
                      Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comsign
                      Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtig
                      Source: TRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comto
                      Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: TRENWATR.EXE, 00000000.00000003.248532139.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers&c
                      Source: TRENWATR.EXE, 00000000.00000003.241642807.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: TRENWATR.EXE, 00000000.00000003.242859092.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: TRENWATR.EXE, 00000000.00000003.242859092.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlt
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.242503896.0000000005F47000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: TRENWATR.EXE, 00000000.00000003.242301739.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlX
                      Source: TRENWATR.EXE, 00000000.00000003.242105483.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers0c.
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: TRENWATR.EXE, 00000000.00000003.241695306.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersZ
                      Source: TRENWATR.EXE, 00000000.00000002.259515653.0000000001717000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comB.TTFG
                      Source: TRENWATR.EXE, 00000000.00000002.259515653.0000000001717000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: TRENWATR.EXE, 00000000.00000002.259515653.0000000001717000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comm
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: TRENWATR.EXE, 00000000.00000003.237832318.0000000005F53000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.237698757.0000000005F47000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: TRENWATR.EXE, 00000000.00000003.237832318.0000000005F53000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn$RZ
                      Source: TRENWATR.EXE, 00000000.00000003.237913831.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: TRENWATR.EXE, 00000000.00000003.237832318.0000000005F53000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnq
                      Source: TRENWATR.EXE, 00000000.00000003.244974147.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: TRENWATR.EXE, 00000000.00000003.245675829.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmhi
                      Source: TRENWATR.EXE, 00000000.00000003.248272029.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmtr-tr
                      Source: TRENWATR.EXE, 00000000.00000003.244974147.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/xM
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: TRENWATR.EXE, 00000000.00000003.241477321.0000000005F47000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.241231274.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                      Source: TRENWATR.EXE, 00000000.00000003.234896317.0000000005F3B000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: TRENWATR.EXE, 00000000.00000003.234896317.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comd
                      Source: TRENWATR.EXE, 00000000.00000003.234896317.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comx
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: TRENWATR.EXE, 00000000.00000003.237176182.0000000005F3B000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: TRENWATR.EXE, 00000000.00000003.237176182.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kra-d&u
                      Source: TRENWATR.EXE, 00000000.00000003.237176182.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krony
                      Source: outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: TRENWATR.EXE, 00000000.00000003.237954503.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com#gO
                      Source: TRENWATR.EXE, 00000000.00000003.237977092.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comT
                      Source: TRENWATR.EXE, 00000000.00000003.236231153.0000000005F3B000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.236015819.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.net
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: TRENWATR.EXE, 00000000.00000003.236015819.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netL.TTFOq
                      Source: TRENWATR.EXE, 00000000.00000003.236231153.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netcreen
                      Source: TRENWATR.EXE, 00000000.00000003.236231153.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netliqueFq
                      Source: TRENWATR.EXE, 00000000.00000003.236231153.0000000005F3B000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netor
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
                      Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
                      Source: TRENWATR.EXE, 00000005.00000002.506281676.0000000002E81000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: outlook.exe, 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: outlook.exe, outlook.exe, 00000014.00000002.370585135.0000000000EB2000.00000002.00020000.sdmp, outlook.exe, 00000015.00000002.376295024.00000000005B2000.00000002.00020000.sdmp, outlook.exe, 00000016.00000000.368954462.0000000000AB2000.00000002.00020000.sdmp, TRENWATR.EXEString found in binary or memory: https://dist.nuget.org/win-x86-commandline/latest/nuget.exe
                      Source: outlook.exe, outlook.exe, 00000015.00000002.376295024.00000000005B2000.00000002.00020000.sdmp, outlook.exe, 00000016.00000000.368954462.0000000000AB2000.00000002.00020000.sdmp, TRENWATR.EXEString found in binary or memory: https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zip
                      Source: outlook.exe, outlook.exe, 00000014.00000002.370585135.0000000000EB2000.00000002.00020000.sdmp, outlook.exe, 00000015.00000002.376295024.00000000005B2000.00000002.00020000.sdmp, outlook.exe, 00000016.00000000.368954462.0000000000AB2000.00000002.00020000.sdmp, TRENWATR.EXEString found in binary or memory: https://github.com/d-haxton/HaxtonBot/archive/master.zip
                      Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                      Source: TRENWATR.EXE, 00000000.00000002.260543683.0000000003EEC000.00000004.00000001.sdmp, TRENWATR.EXE, 00000005.00000002.495941887.0000000000402000.00000040.00000001.sdmp, outlook.exe, 00000012.00000002.361897576.0000000003E9C000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.375859880.000000000429C000.00000004.00000001.sdmp, outlook.exe, 00000015.00000002.376120241.0000000000402000.00000040.00000001.sdmp, outlook.exe, 00000016.00000002.496146481.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: TRENWATR.EXE, 00000005.00000002.506281676.0000000002E81000.00000004.00000001.sdmp, outlook.exe, 00000015.00000002.377800877.0000000002901000.00000004.00000001.sdmp, outlook.exe, 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: TRENWATR.EXE, 00000005.00000002.506281676.0000000002E81000.00000004.00000001.sdmp, TRENWATR.EXE, 00000005.00000002.513517765.00000000030FF000.00000004.00000001.sdmp, TRENWATR.EXE, 00000005.00000002.513965089.0000000003159000.00000004.00000001.sdmpString found in binary or memory: https://yOXP6NtnFAR44DUBv.com
                      Source: outlook.exe, 00000012.00000002.358907457.00000000011AB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 5.2.TRENWATR.EXE.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b6D4ECB85u002d43B1u002d4D40u002d9D23u002d56D2949191A7u007d/D248AEB2u002dB262u002d410Eu002dB587u002dCA91D7E33B16.csLarge array initialization: .cctor: array initializer size 11927
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F573C NtQueryInformationProcess,
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_00AB2050
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_0170DCF4
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_0170C3A0
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_0170E218
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_0170A748
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E48268
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E407E8
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E45A40
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E42368
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E42358
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E40040
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E40006
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E45680
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E41660
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E4567F
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E41650
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E407D9
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E45A30
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E42820
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E42830
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_00982050
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_00984842
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_00984793
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_011D46A0
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_011D35C4
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_011D45D0
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_011D4690
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_011D5391
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_011DD980
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_01379150
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_013705E8
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_0137B5C0
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_01373C00
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_01370D80
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_0137F4D0
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_01376F70
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_01370E20
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_00922050
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_00924842
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_00924793
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B5A40
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B8C40
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B07DB
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B003B
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B2830
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B2820
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B0040
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B2368
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B2358
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B5A30
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B5C66
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B5CAF
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B5CA3
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B5671
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B1660
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B1653
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B5680
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_0147DCF4
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_0147C148
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_0147E223
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_0147A748
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_02D743DC
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_02D77970
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_00EB4842
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_00EB2050
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_00EB4793
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D5A40
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D07E8
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D8C40
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D2358
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D2368
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D5A30
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D0006
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D2830
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D2820
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D0040
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D0747
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D07D8
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D1653
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D5671
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D1660
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D5680
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D5C66
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D5CAF
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D5CA3
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_032694A8
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_0326DCF4
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_0326C3A0
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_0326E218
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_0326A748
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F8780
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F6688
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074FE348
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F6EA0
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F3C78
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F5AE0
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F78D0
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F3888
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F872A
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F873F
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F864D
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F664A
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F6615
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074FE630
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F65E0
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074FF378
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074FA240
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074FA250
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F6E90
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074FAD01
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074FAD10
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F5AD0
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074FAA88
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074FAA98
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074FB99A
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074FB9A0
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F3878
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074F78C0
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074FA898
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_074FA8A8
                      Source: TRENWATR.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: outlook.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: TRENWATR.EXE, 00000000.00000002.259743735.0000000002EE1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs TRENWATR.EXE
                      Source: TRENWATR.EXE, 00000000.00000002.270090172.0000000007510000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs TRENWATR.EXE
                      Source: TRENWATR.EXE, 00000000.00000000.232150888.0000000000B68000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEnumSByteTypeInfo.exeD vs TRENWATR.EXE
                      Source: TRENWATR.EXE, 00000000.00000002.259842280.0000000002F2E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXClcfvohVHtCAIPGfwbTlOxbHZPR.exe4 vs TRENWATR.EXE
                      Source: TRENWATR.EXE, 00000005.00000002.495941887.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameXClcfvohVHtCAIPGfwbTlOxbHZPR.exe4 vs TRENWATR.EXE
                      Source: TRENWATR.EXE, 00000005.00000002.498707080.0000000000A38000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEnumSByteTypeInfo.exeD vs TRENWATR.EXE
                      Source: TRENWATR.EXE, 00000005.00000002.506052290.0000000002E60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs TRENWATR.EXE
                      Source: TRENWATR.EXE, 00000005.00000002.518540002.0000000006430000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs TRENWATR.EXE
                      Source: TRENWATR.EXE, 00000005.00000002.499094834.0000000000BF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs TRENWATR.EXE
                      Source: TRENWATR.EXEBinary or memory string: OriginalFilenameEnumSByteTypeInfo.exeD vs TRENWATR.EXE
                      Source: TRENWATR.EXEStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: TRENWATR.EXEStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: outlook.exe.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 5.2.TRENWATR.EXE.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.2.TRENWATR.EXE.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/4@0/0
                      Source: C:\Users\user\Desktop\TRENWATR.EXEFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TRENWATR.EXE.logJump to behavior
                      Source: TRENWATR.EXEStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\TRENWATR.EXESection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\TRENWATR.EXESection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\TRENWATR.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\TRENWATR.EXEWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\TRENWATR.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
                      Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                      Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
                      Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: TRENWATR.EXEVirustotal: Detection: 16%
                      Source: TRENWATR.EXEReversingLabs: Detection: 14%
                      Source: C:\Users\user\Desktop\TRENWATR.EXEFile read: C:\Users\user\Desktop\TRENWATR.EXEJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\TRENWATR.EXE 'C:\Users\user\Desktop\TRENWATR.EXE'
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess created: C:\Users\user\Desktop\TRENWATR.EXE C:\Users\user\Desktop\TRENWATR.EXE
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\outlook\outlook.exe 'C:\Users\user\AppData\Roaming\outlook\outlook.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\outlook\outlook.exe 'C:\Users\user\AppData\Roaming\outlook\outlook.exe'
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess created: C:\Users\user\AppData\Roaming\outlook\outlook.exe C:\Users\user\AppData\Roaming\outlook\outlook.exe
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess created: C:\Users\user\AppData\Roaming\outlook\outlook.exe C:\Users\user\AppData\Roaming\outlook\outlook.exe
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess created: C:\Users\user\Desktop\TRENWATR.EXE C:\Users\user\Desktop\TRENWATR.EXE
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess created: C:\Users\user\AppData\Roaming\outlook\outlook.exe C:\Users\user\AppData\Roaming\outlook\outlook.exe
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess created: C:\Users\user\AppData\Roaming\outlook\outlook.exe C:\Users\user\AppData\Roaming\outlook\outlook.exe
                      Source: C:\Users\user\Desktop\TRENWATR.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\TRENWATR.EXEFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\TRENWATR.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: TRENWATR.EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: TRENWATR.EXEStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_00AC851B push dword ptr [esi+3Fh]; iretd
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_00AB5683 push es; retf
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E40587 push ss; ret
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 0_2_02E40595 push ss; ret
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_0099851B push dword ptr [esi+3Fh]; iretd
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_00985683 push es; retf
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_00999287 push FFFFFFD9h; iretd
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_0112D95C push eax; ret
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_0093851B push dword ptr [esi+3Fh]; iretd
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_00925683 push es; retf
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_00939287 push FFFFFFD9h; iretd
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B0595 push ss; ret
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_013B0587 push ss; ret
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_0147A728 pushfd ; retf
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_0147446F push edi; retf 0002h
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_0147AF71 pushfd ; retf
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_0147AF20 pushfd ; retf
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_0147AF28 pushfd ; retf
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_0147AED1 pushfd ; retf
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 18_2_01473768 push eax; retf
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_00EC851B push dword ptr [esi+3Fh]; iretd
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_00EB5683 push es; retf
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_00EC9287 push FFFFFFD9h; iretd
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D0595 push ss; ret
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeCode function: 20_2_031D0587 push ss; ret
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.54897918265
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.54897918265
                      Source: C:\Users\user\Desktop\TRENWATR.EXEFile created: C:\Users\user\AppData\Roaming\outlook\outlook.exeJump to dropped file
                      Source: C:\Users\user\Desktop\TRENWATR.EXERegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run outlookJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXERegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run outlookJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\TRENWATR.EXEFile opened: C:\Users\user\AppData\Roaming\outlook\outlook.exe:Zone.Identifier read attributes | delete
                      Moves itself to temp directoryShow sources
                      Source: c:\users\user\desktop\trenwatr.exeFile moved: C:\Users\user\AppData\Local\Temp\tmpG481.tmpJump to behavior
                      Source: C:\Users\user\Desktop\TRENWATR.EXERegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: TRENWATR.EXE PID: 1048, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: outlook.exe PID: 6696, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: outlook.exe PID: 6904, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\TRENWATR.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\TRENWATR.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: TRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\TRENWATR.EXEThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\TRENWATR.EXEThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\TRENWATR.EXEThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\TRENWATR.EXEWindow / User API: threadDelayed 3681
                      Source: C:\Users\user\Desktop\TRENWATR.EXEWindow / User API: threadDelayed 6160
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeWindow / User API: threadDelayed 4487
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeWindow / User API: threadDelayed 5341
                      Source: C:\Users\user\Desktop\TRENWATR.EXE TID: 5532Thread sleep time: -103548s >= -30000s
                      Source: C:\Users\user\Desktop\TRENWATR.EXE TID: 2968Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\TRENWATR.EXE TID: 4092Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\TRENWATR.EXE TID: 3612Thread sleep time: -13835058055282155s >= -30000s
                      Source: C:\Users\user\Desktop\TRENWATR.EXE TID: 3392Thread sleep count: 3681 > 30
                      Source: C:\Users\user\Desktop\TRENWATR.EXE TID: 3392Thread sleep count: 6160 > 30
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 6700Thread sleep time: -100745s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 6748Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 6920Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 6908Thread sleep time: -100818s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 6932Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 3276Thread sleep count: 34 > 30
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 3276Thread sleep time: -31359464925306218s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 608Thread sleep count: 4487 > 30
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exe TID: 608Thread sleep count: 5341 > 30
                      Source: C:\Users\user\Desktop\TRENWATR.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\TRENWATR.EXEWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\TRENWATR.EXEThread delayed: delay time: 103548
                      Source: C:\Users\user\Desktop\TRENWATR.EXEThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\TRENWATR.EXEThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\TRENWATR.EXEThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeThread delayed: delay time: 100745
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeThread delayed: delay time: 100818
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeThread delayed: delay time: 922337203685477
                      Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                      Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXECode function: 5_2_0137ACA8 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\TRENWATR.EXEMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\TRENWATR.EXEMemory written: C:\Users\user\Desktop\TRENWATR.EXE base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeMemory written: C:\Users\user\AppData\Roaming\outlook\outlook.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeMemory written: C:\Users\user\AppData\Roaming\outlook\outlook.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\TRENWATR.EXEProcess created: C:\Users\user\Desktop\TRENWATR.EXE C:\Users\user\Desktop\TRENWATR.EXE
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess created: C:\Users\user\AppData\Roaming\outlook\outlook.exe C:\Users\user\AppData\Roaming\outlook\outlook.exe
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeProcess created: C:\Users\user\AppData\Roaming\outlook\outlook.exe C:\Users\user\AppData\Roaming\outlook\outlook.exe
                      Source: TRENWATR.EXE, 00000005.00000002.504253675.00000000018F0000.00000002.00000001.sdmp, outlook.exe, 00000016.00000002.502684561.0000000001840000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
                      Source: TRENWATR.EXE, 00000005.00000002.504253675.00000000018F0000.00000002.00000001.sdmp, outlook.exe, 00000016.00000002.502684561.0000000001840000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: TRENWATR.EXE, 00000005.00000002.504253675.00000000018F0000.00000002.00000001.sdmp, outlook.exe, 00000016.00000002.502684561.0000000001840000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: TRENWATR.EXE, 00000005.00000002.504253675.00000000018F0000.00000002.00000001.sdmp, outlook.exe, 00000016.00000002.502684561.0000000001840000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Users\user\Desktop\TRENWATR.EXE VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Users\user\Desktop\TRENWATR.EXE VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeQueries volume information: C:\Users\user\AppData\Roaming\outlook\outlook.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeQueries volume information: C:\Users\user\AppData\Roaming\outlook\outlook.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeQueries volume information: C:\Users\user\AppData\Roaming\outlook\outlook.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeQueries volume information: C:\Users\user\AppData\Roaming\outlook\outlook.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\outlook\outlook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\TRENWATR.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000005.00000002.495941887.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.375859880.000000000429C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.496146481.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.377800877.0000000002901000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.376120241.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.260543683.0000000003EEC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.261068565.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.376980132.00000000044A9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.363998493.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.361897576.0000000003E9C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.513517765.00000000030FF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: TRENWATR.EXE PID: 1048, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: outlook.exe PID: 7012, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: outlook.exe PID: 6696, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: outlook.exe PID: 6904, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: TRENWATR.EXE PID: 3336, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: outlook.exe PID: 6944, type: MEMORY
                      Source: Yara matchFile source: 0.2.TRENWATR.EXE.3ff53d8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.outlook.exe.44d1fe8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.outlook.exe.40d1fe8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.outlook.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.outlook.exe.3fa53d8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.outlook.exe.43a53d8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.TRENWATR.EXE.3ff53d8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.outlook.exe.3fa53d8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.outlook.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.TRENWATR.EXE.4121fe8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.TRENWATR.EXE.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.outlook.exe.43a53d8.3.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\TRENWATR.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\TRENWATR.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\TRENWATR.EXEFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\TRENWATR.EXEFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Source: C:\Users\user\Desktop\TRENWATR.EXEFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\TRENWATR.EXEFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\TRENWATR.EXEFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\TRENWATR.EXEKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Users\user\Desktop\TRENWATR.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Yara matchFile source: 00000015.00000002.377800877.0000000002901000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.506281676.0000000002E81000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: outlook.exe PID: 7012, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: TRENWATR.EXE PID: 3336, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: outlook.exe PID: 6944, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000005.00000002.495941887.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.375859880.000000000429C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.496146481.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.377800877.0000000002901000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.376120241.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.260543683.0000000003EEC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.261068565.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.376980132.00000000044A9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.363998493.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.361897576.0000000003E9C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.513517765.00000000030FF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: TRENWATR.EXE PID: 1048, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: outlook.exe PID: 7012, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: outlook.exe PID: 6696, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: outlook.exe PID: 6904, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: TRENWATR.EXE PID: 3336, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: outlook.exe PID: 6944, type: MEMORY
                      Source: Yara matchFile source: 0.2.TRENWATR.EXE.3ff53d8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.outlook.exe.44d1fe8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.outlook.exe.40d1fe8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.outlook.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.outlook.exe.3fa53d8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.outlook.exe.43a53d8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.TRENWATR.EXE.3ff53d8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.outlook.exe.3fa53d8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.outlook.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.TRENWATR.EXE.4121fe8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.TRENWATR.EXE.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.outlook.exe.43a53d8.3.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Process Injection112Masquerading11OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Disable or Modify Tools1Input Capture1Security Software Discovery211Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Credentials in Registry1Process Discovery2SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelData from Local System2Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery114VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      TRENWATR.EXE16%VirustotalBrowse
                      TRENWATR.EXE15%ReversingLabsWin32.Trojan.Wacatac
                      TRENWATR.EXE100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\outlook\outlook.exe100%Joe Sandbox ML

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      21.2.outlook.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      22.2.outlook.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      5.2.TRENWATR.EXE.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.fontbureau.comB.TTFG0%Avira URL Cloudsafe
                      http://www.carterandcone.comes0%URL Reputationsafe
                      http://www.carterandcone.comes0%URL Reputationsafe
                      http://www.carterandcone.comes0%URL Reputationsafe
                      http://www.carterandcone.comes0%URL Reputationsafe
                      http://www.founder.com.cn/cn$RZ0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netL.TTFOq0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.carterandcone.comMic0%Avira URL Cloudsafe
                      http://www.typography.netor0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.galapagosdesign.com/xM0%Avira URL Cloudsafe
                      http://www.tiro.com#gO0%Avira URL Cloudsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.carterandcone.comtig0%Avira URL Cloudsafe
                      http://JaIZBT.com0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.carterandcone.compe0%Avira URL Cloudsafe
                      http://www.carterandcone.comperN0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.carterandcone.comY0%Avira URL Cloudsafe
                      http://www.typography.netliqueFq0%Avira URL Cloudsafe
                      http://www.carterandcone.comi0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.sandoll.co.kra-d&u0%Avira URL Cloudsafe
                      http://www.carterandcone.comrh0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.carterandcone.comelpLm0%Avira URL Cloudsafe
                      http://www.sandoll.co.krony0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htmhi0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://subca.ocsp-certum.com0.0%URL Reputationsafe
                      http://subca.ocsp-certum.com0.0%URL Reputationsafe
                      http://subca.ocsp-certum.com0.0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cnq0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.carterandcone.comD0%Avira URL Cloudsafe
                      http://www.carterandcone.comC0%URL Reputationsafe
                      http://www.carterandcone.comC0%URL Reputationsafe
                      http://www.carterandcone.comC0%URL Reputationsafe
                      http://www.typography.net0%URL Reputationsafe
                      http://www.typography.net0%URL Reputationsafe
                      http://www.typography.net0%URL Reputationsafe
                      http://www.typography.netcreen0%Avira URL Cloudsafe
                      http://www.ascendercorp.com/typedesigners.htmlzi0%Avira URL Cloudsafe
                      http://www.carterandcone.com80%Avira URL Cloudsafe
                      http://www.carterandcone.comits0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/staff/dennis.htmtr-tr0%Avira URL Cloudsafe
                      http://subca.ocsp-certum.com010%URL Reputationsafe
                      http://subca.ocsp-certum.com010%URL Reputationsafe
                      http://subca.ocsp-certum.com010%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1TRENWATR.EXE, 00000005.00000002.506281676.0000000002E81000.00000004.00000001.sdmp, outlook.exe, 00000015.00000002.377800877.0000000002901000.00000004.00000001.sdmp, outlook.exe, 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.fontbureau.comB.TTFGTRENWATR.EXE, 00000000.00000002.259515653.0000000001717000.00000004.00000040.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.carterandcone.comesTRENWATR.EXE, 00000000.00000003.238587043.0000000005F3B000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://dist.nuget.org/win-x86-commandline/latest/nuget.exeoutlook.exe, outlook.exe, 00000014.00000002.370585135.0000000000EB2000.00000002.00020000.sdmp, outlook.exe, 00000015.00000002.376295024.00000000005B2000.00000002.00020000.sdmp, outlook.exe, 00000016.00000000.368954462.0000000000AB2000.00000002.00020000.sdmp, TRENWATR.EXEfalse
                        		high
                        http://www.fontbureau.com/designers0c.TRENWATR.EXE, 00000000.00000003.242105483.0000000005F47000.00000004.00000001.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4outlook.exe, 00000012.00000002.360749670.0000000002EE9000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374700347.00000000032EB000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designersoutlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpfalse
                              		high
                              https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssTRENWATR.EXE, 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn$RZTRENWATR.EXE, 00000000.00000003.237832318.0000000005F53000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sajatypeworks.comTRENWATR.EXE, 00000000.00000003.234896317.0000000005F3B000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netL.TTFOqTRENWATR.EXE, 00000000.00000003.236015819.0000000005F3B000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://repository.certum.pl/ca.cer09TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/cTheTRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comMicTRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.typography.netorTRENWATR.EXE, 00000000.00000003.236231153.0000000005F3B000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleaseTRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.ascendercorp.com/typedesigners.htmlTRENWATR.EXE, 00000000.00000003.239865090.0000000005F44000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zipoutlook.exe, outlook.exe, 00000015.00000002.376295024.00000000005B2000.00000002.00020000.sdmp, outlook.exe, 00000016.00000000.368954462.0000000000AB2000.00000002.00020000.sdmp, TRENWATR.EXEfalse
                                    		high
                                    http://www.galapagosdesign.com/xMTRENWATR.EXE, 00000000.00000003.244974147.0000000005F47000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.tiro.com#gOTRENWATR.EXE, 00000000.00000003.237954503.0000000005F3B000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.urwpp.deDPleaseTRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnTRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameTRENWATR.EXE, 00000000.00000002.259743735.0000000002EE1000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360749670.0000000002EE9000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.360529730.0000000002E91000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374700347.00000000032EB000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.374363731.0000000003291000.00000004.00000001.sdmpfalse
                                      		high
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipTRENWATR.EXE, 00000000.00000002.260543683.0000000003EEC000.00000004.00000001.sdmp, TRENWATR.EXE, 00000005.00000002.495941887.0000000000402000.00000040.00000001.sdmp, outlook.exe, 00000012.00000002.361897576.0000000003E9C000.00000004.00000001.sdmp, outlook.exe, 00000014.00000002.375859880.000000000429C000.00000004.00000001.sdmp, outlook.exe, 00000015.00000002.376120241.0000000000402000.00000040.00000001.sdmp, outlook.exe, 00000016.00000002.496146481.0000000000402000.00000040.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.certum.pl/CPS0TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.carterandcone.comtigTRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://JaIZBT.comoutlook.exe, 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.galapagosdesign.com/TRENWATR.EXE, 00000000.00000003.244974147.0000000005F47000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.compeTRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.carterandcone.comperNTRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haTRENWATR.EXE, 00000005.00000002.506281676.0000000002E81000.00000004.00000001.sdmp, outlook.exe, 00000015.00000002.377800877.0000000002901000.00000004.00000001.sdmp, outlook.exe, 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://crl.certum.pl/ctnca.crl0kTRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.carterandcone.comYTRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://github.com/d-haxton/HaxtonBot/archive/master.zipoutlook.exe, outlook.exe, 00000014.00000002.370585135.0000000000EB2000.00000002.00020000.sdmp, outlook.exe, 00000015.00000002.376295024.00000000005B2000.00000002.00020000.sdmp, outlook.exe, 00000016.00000000.368954462.0000000000AB2000.00000002.00020000.sdmp, TRENWATR.EXEfalse
                                            		high
                                            http://www.fontbureau.com/designers/frere-jones.htmlXTRENWATR.EXE, 00000000.00000003.242301739.0000000005F47000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.typography.netliqueFqTRENWATR.EXE, 00000000.00000003.236231153.0000000005F3B000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.carterandcone.comiTRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://smtp.yandex.comTRENWATR.EXE, 00000005.00000002.513816109.0000000003135000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.carterandcone.comlTRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.founder.com.cn/cn/TRENWATR.EXE, 00000000.00000003.237913831.0000000005F3B000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/frere-jones.htmlTRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.242503896.0000000005F47000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://crls.yandex.net/certum/ycasha2.crl0-TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.sandoll.co.kra-d&uTRENWATR.EXE, 00000000.00000003.237176182.0000000005F3B000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		low
                                                    http://www.carterandcone.comrhTRENWATR.EXE, 00000000.00000003.238264721.0000000005F3B000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designersGTRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designers/?TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.founder.com.cn/cn/bTheTRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.carterandcone.comelpLmTRENWATR.EXE, 00000000.00000003.238264721.0000000005F3B000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers?TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://yandex.crl.certum.pl/ycasha2.crl0qTRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.com/designers&cTRENWATR.EXE, 00000000.00000003.248532139.0000000005F47000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.sandoll.co.kronyTRENWATR.EXE, 00000000.00000003.237176182.0000000005F3B000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.tiro.comoutlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.galapagosdesign.com/staff/dennis.htmhiTRENWATR.EXE, 00000000.00000003.245675829.0000000005F47000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designersZTRENWATR.EXE, 00000000.00000003.241695306.0000000005F47000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.goodfont.co.krTRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.carterandcone.comTRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://subca.ocsp-certum.com0.TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.typography.netDTRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.founder.com.cn/cnqTRENWATR.EXE, 00000000.00000003.237832318.0000000005F53000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.galapagosdesign.com/staff/dennis.htmTRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://fontfabrik.comTRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.236572064.0000000005F3B000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.235975296.0000000005F3B000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.carterandcone.comDTRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.carterandcone.comCTRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.typography.netTRENWATR.EXE, 00000000.00000003.236231153.0000000005F3B000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.236015819.0000000005F3B000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.typography.netcreenTRENWATR.EXE, 00000000.00000003.236231153.0000000005F3B000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.ascendercorp.com/typedesigners.htmlziTRENWATR.EXE, 00000000.00000003.240042629.0000000005F47000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.carterandcone.com8TRENWATR.EXE, 00000000.00000003.238291911.0000000005F3B000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.carterandcone.comitsTRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.galapagosdesign.com/staff/dennis.htmtr-trTRENWATR.EXE, 00000000.00000003.248272029.0000000005F47000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://subca.ocsp-certum.com01TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://api.ipify.org%GETMozilla/5.0outlook.exe, 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		low
                                                                http://www.carterandcone.comVTRENWATR.EXE, 00000000.00000003.238264721.0000000005F3B000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.fonts.comTRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.sandoll.co.krTRENWATR.EXE, 00000000.00000003.237176182.0000000005F3B000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.carterandcone.comsignTRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.sajatypeworks.comdTRENWATR.EXE, 00000000.00000003.234896317.0000000005F3B000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.sakkal.comTRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://repository.certum.pl/ycasha2.cer0TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.carterandcone.compefTRENWATR.EXE, 00000000.00000003.238558968.0000000005F3B000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.apache.org/licenses/LICENSE-2.0TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.fontbureau.comTRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://DynDns.comDynDNSoutlook.exe, 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://repository.certum.pl/ctnca.cer09TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.sajatypeworks.comxTRENWATR.EXE, 00000000.00000003.234896317.0000000005F3B000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.fontbureau.com/designers/cabarga.htmltTRENWATR.EXE, 00000000.00000003.242859092.0000000005F47000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://www.certum.pl/CPS0TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://www.fontbureau.comaTRENWATR.EXE, 00000000.00000002.259515653.0000000001717000.00000004.00000040.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.carterandcone.comtoTRENWATR.EXE, 00000000.00000003.238427690.0000000005F3B000.00000004.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://api.ipify.org%$TRENWATR.EXE, 00000005.00000002.506281676.0000000002E81000.00000004.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		low
                                                                              http://yandex.ocsp-responder.com03TRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.fontbureau.com/designers/cabarga.htmlNTRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.founder.com.cn/cnTRENWATR.EXE, 00000000.00000003.237832318.0000000005F53000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.237698757.0000000005F47000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.fontbureau.com/designers/cabarga.htmlTRENWATR.EXE, 00000000.00000003.242859092.0000000005F47000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://www.monotype.TRENWATR.EXE, 00000000.00000003.241477321.0000000005F47000.00000004.00000001.sdmp, TRENWATR.EXE, 00000000.00000003.241231274.0000000005F47000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.tiro.comTTRENWATR.EXE, 00000000.00000003.237977092.0000000005F3B000.00000004.00000001.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.fontbureau.commTRENWATR.EXE, 00000000.00000002.259515653.0000000001717000.00000004.00000040.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.jiyu-kobo.co.jp/TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.fontbureau.com/designers8TRENWATR.EXE, 00000000.00000002.266888357.0000000007132000.00000004.00000001.sdmp, outlook.exe, 00000012.00000002.366183325.0000000005E70000.00000002.00000001.sdmp, outlook.exe, 00000014.00000002.381519178.00000000063D0000.00000002.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://crl.certum.pl/ca.crl0hTRENWATR.EXE, 00000005.00000002.518819386.0000000006660000.00000004.00000001.sdmpfalse
                                                                                      		high

                                                                                      Contacted IPs

                                                                                      No contacted IP infos

                                                                                      General Information

                                                                                      Joe Sandbox Version:31.0.0 Emerald
                                                                                      Analysis ID:383916
                                                                                      Start date:08.04.2021
                                                                                      Start time:12:22:43
                                                                                      Joe Sandbox Product:CloudBasic
                                                                                      Overall analysis duration:0h 13m 48s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:light
                                                                                      Sample file name:TRENWATR.EXE
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                      Number of analysed new started processes analysed:33
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • HDC enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Detection:MAL
                                                                                      Classification:mal100.troj.spyw.evad.winEXE@9/4@0/0
                                                                                      EGA Information:Failed
                                                                                      HDC Information:
                                                                                      • Successful, ratio: 0.1% (good quality ratio 0%)
                                                                                      • Quality average: 34.8%
                                                                                      • Quality standard deviation: 38.7%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 99%
                                                                                      • Number of executed functions: 0
                                                                                      • Number of non-executed functions: 0
                                                                                      Cookbook Comments:
                                                                                      • Adjust boot time
                                                                                      • Enable AMSI
                                                                                      • Found application associated with file extension: .EXE
                                                                                      Warnings:
                                                                                      Show All
                                                                                      • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      TimeTypeDescription
                                                                                      12:23:44API Interceptor682x Sleep call for process: TRENWATR.EXE modified
                                                                                      12:24:14AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run outlook C:\Users\user\AppData\Roaming\outlook\outlook.exe
                                                                                      12:24:22AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run outlook C:\Users\user\AppData\Roaming\outlook\outlook.exe
                                                                                      12:24:29API Interceptor235x Sleep call for process: outlook.exe modified

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      No context

                                                                                      Domains

                                                                                      No context

                                                                                      ASN

                                                                                      No context

                                                                                      JA3 Fingerprints

                                                                                      No context

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TRENWATR.EXE.log
                                                                                      Process:C:\Users\user\Desktop\TRENWATR.EXE
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1314
                                                                                      Entropy (8bit):5.350128552078965
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                                      MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                                      SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                                      SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                                      SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                                      Malicious:true
                                                                                      Reputation:high, very likely benign file
                                                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\outlook.exe.log
                                                                                      Process:C:\Users\user\AppData\Roaming\outlook\outlook.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1314
                                                                                      Entropy (8bit):5.350128552078965
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                                      MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                                      SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                                      SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                                      SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                                      Malicious:false
                                                                                      Reputation:high, very likely benign file
                                                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                                      C:\Users\user\AppData\Roaming\outlook\outlook.exe
                                                                                      Process:C:\Users\user\Desktop\TRENWATR.EXE
                                                                                      File Type:Unknown
                                                                                      Category:dropped
                                                                                      Size (bytes):937984
                                                                                      Entropy (8bit):7.076855806946785
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:/SAIIK2eESC92/+WjfrGiEMCYPXVK0UC8cHpM+liUCDqOHxVMqIK1eES:/QIVd2/+WLCRM3/VK0rAUCDLHxKqII
                                                                                      MD5:4C8C4125A16387F16558E841A704C718
                                                                                      SHA1:A550EC500BFA00F45AC799B9E5F4868A30892E23
                                                                                      SHA-256:5AAAE83A4B166E0CB4A3A5841C6B92C39C66B2C8DABBE9E304C7865237C9AD5B
                                                                                      SHA-512:11519CDC8EAFD3CC39FA3AE0A335B6FA53725B77176C73FAED4999733D36C20DE9DDDDE572D027E71619A2B47CE0615C28A4A7022126ACDCDD9CD5F89D60E2CF
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      Reputation:low
                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....n`..............P..R...........p... ........@.. ....................................@..................................p..O.................................................................................... ............... ..H............text....P... ...R.................. ..`.rsrc................T..............@..@.reloc...............N..............@..B.................p......H........?..XH..........................................................0............(....( .........(.....o!....*.....................("......(#......($......(%......(&....*N..(....ol...('....*&..((....*.s)........s*........s+........s,........s-........*....0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0..<........~.....(3.....,!r...p.....(4...o5...s6............~.....+..*.0......
                                                                                      C:\Users\user\AppData\Roaming\outlook\outlook.exe:Zone.Identifier
                                                                                      Process:C:\Users\user\Desktop\TRENWATR.EXE
                                                                                      File Type:Unknown
                                                                                      Category:modified
                                                                                      Size (bytes):26
                                                                                      Entropy (8bit):3.95006375643621
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:ggPYV:rPYV
                                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                      Malicious:true
                                                                                      Reputation:high, very likely benign file
                                                                                      Preview: [ZoneTransfer]....ZoneId=0

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Entropy (8bit):7.076855806946785
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                      File name:TRENWATR.EXE
                                                                                      File size:937984
                                                                                      MD5:4c8c4125a16387f16558e841a704c718
                                                                                      SHA1:a550ec500bfa00f45ac799b9e5f4868a30892e23
                                                                                      SHA256:5aaae83a4b166e0cb4a3a5841c6b92c39c66b2c8dabbe9e304c7865237c9ad5b
                                                                                      SHA512:11519cdc8eafd3cc39fa3ae0a335b6fa53725b77176c73faed4999733d36c20de9dddde572d027e71619a2b47ce0615c28a4a7022126acdcdd9cd5f89d60e2cf
                                                                                      SSDEEP:12288:/SAIIK2eESC92/+WjfrGiEMCYPXVK0UC8cHpM+liUCDqOHxVMqIK1eES:/QIVd2/+WLCRM3/VK0rAUCDLHxKqII
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....n`..............P..R...........p... ........@.. ....................................@................................

                                                                                      File Icon

                                                                                      Icon Hash:0e07030d0d030750

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x4a70ea
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                      Time Stamp:0x606EC4F6 [Thu Apr 8 08:55:18 2021 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:v4.0.30319
                                                                                      OS Version Major:4
                                                                                      OS Version Minor:0
                                                                                      File Version Major:4
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:4
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      jmp dword ptr [00402000h]
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xa70980x4f.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xa80000x3f884.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xe80000xc.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x20000xa50f00xa5200False0.788516926098data7.54897918265IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0xa80000x3f8840x3fa00False0.266258134823data5.24868308892IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0xe80000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountry
                                                                                      RT_ICON0xa83100x10828data
                                                                                      RT_ICON0xb8b380x6f5aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                      RT_ICON0xbfa940x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                                      RT_ICON0xd02bc0x94a8data
                                                                                      RT_ICON0xd97640x5488data
                                                                                      RT_ICON0xdebec0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 15794175, next used block 4294902528
                                                                                      RT_ICON0xe2e140x25a8data
                                                                                      RT_ICON0xe53bc0x10a8data
                                                                                      RT_ICON0xe64640x988data
                                                                                      RT_ICON0xe6dec0x468GLS_BINARY_LSB_FIRST
                                                                                      RT_GROUP_ICON0xe72540x14data
                                                                                      RT_GROUP_ICON0xe72680x92data
                                                                                      RT_VERSION0xe72fc0x39adata
                                                                                      RT_MANIFEST0xe76980x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                      Imports

                                                                                      DLLImport
                                                                                      mscoree.dll_CorExeMain

                                                                                      Version Infos

                                                                                      DescriptionData
                                                                                      Translation0x0000 0x04b0
                                                                                      LegalCopyrightCopyright 2016 Computer City
                                                                                      Assembly Version1.12.0.2
                                                                                      InternalNameEnumSByteTypeInfo.exe
                                                                                      FileVersion1.12.0.2
                                                                                      CompanyNameComputer City
                                                                                      LegalTrademarks
                                                                                      Comments
                                                                                      ProductNameUnmanagedAccessor
                                                                                      ProductVersion1.12.0.2
                                                                                      FileDescriptionUnmanagedAccessor
                                                                                      OriginalFilenameEnumSByteTypeInfo.exe

                                                                                      Network Behavior

                                                                                      No network behavior found

                                                                                      Code Manipulations

                                                                                      Statistics

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      Analysis Process: TRENWATR.EXE PID: 1048 Parent PID: 5768

                                                                                      General

                                                                                      Start time:12:23:35
                                                                                      Start date:08/04/2021
                                                                                      Path:C:\Users\user\Desktop\TRENWATR.EXE
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\Desktop\TRENWATR.EXE'
                                                                                      Imagebase:0xab0000
                                                                                      File size:937984 bytes
                                                                                      MD5 hash:4C8C4125A16387F16558E841A704C718
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.260543683.0000000003EEC000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.261068565.00000000040F9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.259862651.0000000002F34000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      Reputation:low

                                                                                      Analysis Process: TRENWATR.EXE PID: 3336 Parent PID: 1048

                                                                                      General

                                                                                      Start time:12:23:46
                                                                                      Start date:08/04/2021
                                                                                      Path:C:\Users\user\Desktop\TRENWATR.EXE
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\Desktop\TRENWATR.EXE
                                                                                      Imagebase:0x980000
                                                                                      File size:937984 bytes
                                                                                      MD5 hash:4C8C4125A16387F16558E841A704C718
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.495941887.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.513517765.00000000030FF000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.506281676.0000000002E81000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      Reputation:low

                                                                                      Analysis Process: outlook.exe PID: 6696 Parent PID: 3292

                                                                                      General

                                                                                      Start time:12:24:23
                                                                                      Start date:08/04/2021
                                                                                      Path:C:\Users\user\AppData\Roaming\outlook\outlook.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\AppData\Roaming\outlook\outlook.exe'
                                                                                      Imagebase:0x920000
                                                                                      File size:937984 bytes
                                                                                      MD5 hash:4C8C4125A16387F16558E841A704C718
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000012.00000002.360720856.0000000002EE0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.363998493.00000000040A8000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.361897576.0000000003E9C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      Antivirus matches:
                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                      Reputation:low

                                                                                      Analysis Process: outlook.exe PID: 6904 Parent PID: 3292

                                                                                      General

                                                                                      Start time:12:24:31
                                                                                      Start date:08/04/2021
                                                                                      Path:C:\Users\user\AppData\Roaming\outlook\outlook.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\AppData\Roaming\outlook\outlook.exe'
                                                                                      Imagebase:0xeb0000
                                                                                      File size:937984 bytes
                                                                                      MD5 hash:4C8C4125A16387F16558E841A704C718
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.375859880.000000000429C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000014.00000002.374665884.00000000032E4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.376980132.00000000044A9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      Reputation:low

                                                                                      Analysis Process: outlook.exe PID: 6944 Parent PID: 6696

                                                                                      General

                                                                                      Start time:12:24:32
                                                                                      Start date:08/04/2021
                                                                                      Path:C:\Users\user\AppData\Roaming\outlook\outlook.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\AppData\Roaming\outlook\outlook.exe
                                                                                      Imagebase:0x5b0000
                                                                                      File size:937984 bytes
                                                                                      MD5 hash:4C8C4125A16387F16558E841A704C718
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000015.00000002.377800877.0000000002901000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000002.377800877.0000000002901000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000015.00000002.376120241.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      Reputation:low

                                                                                      Analysis Process: outlook.exe PID: 7012 Parent PID: 6904

                                                                                      General

                                                                                      Start time:12:24:38
                                                                                      Start date:08/04/2021
                                                                                      Path:C:\Users\user\AppData\Roaming\outlook\outlook.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\AppData\Roaming\outlook\outlook.exe
                                                                                      Imagebase:0xab0000
                                                                                      File size:937984 bytes
                                                                                      MD5 hash:4C8C4125A16387F16558E841A704C718
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000016.00000002.496146481.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.503516708.0000000002E61000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      Reputation:low

                                                                                      Disassembly

                                                                                      Code Analysis

                                                                                      Reset < >