Edit tour

Windows Analysis Report
Bearfoos.A!ml' in file 'trvservice.exe

Overview

General Information

Sample Name:Bearfoos.A!ml' in file 'trvservice.exe
(renamed file extension from exe' to exe, renamed because original name is a hash value)
Original Sample Name:Bearfoos.A!ml' in file 'trvservice.exe'
Analysis ID:1301509
MD5:e5e7244199424d67a7c9a00869aa640a
SHA1:e7f197c527989c73df00a5e1e44b61a6cdd838d0
SHA256:3ada30c76adacbbf2b15677641fcbdd94fdf162f600878f09aeedfff48be0e06
Infos:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Sample execution stops while process was sleeping (likely an evasion)
PE file contains more sections than normal
Program does not show much activity (idle)
PE file contains sections with non-standard names

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • Bearfoos.A!ml' in file 'trvservice.exe (PID: 7128 cmdline: C:\Users\user\Desktop\Bearfoos.A!ml' in file 'trvservice.exe MD5: E5E7244199424D67A7C9A00869AA640A)
    • conhost.exe (PID: 6156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Bearfoos.A!ml' in file 'trvservice.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Bearfoos.A!ml' in file 'trvservice.exeStatic PE information: Number of sections : 13 > 10
Source: Bearfoos.A!ml' in file 'trvservice.exeStatic PE information: Section: /19 ZLIB complexity 0.9997084888059702
Source: Bearfoos.A!ml' in file 'trvservice.exeStatic PE information: Section: /32 ZLIB complexity 0.9942730402542372
Source: Bearfoos.A!ml' in file 'trvservice.exeStatic PE information: Section: /65 ZLIB complexity 0.9992118737305349
Source: Bearfoos.A!ml' in file 'trvservice.exeStatic PE information: Section: /78 ZLIB complexity 0.9895968614718614
Source: Bearfoos.A!ml' in file 'trvservice.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Bearfoos.A!ml' in file 'trvservice.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Bearfoos.A!ml' in file 'trvservice.exeString found in binary or memory: GOMAXPROCSGOMEMLIMITGetIfEntryGetVersionGlagoliticHTTP_PROXYINSERTBULKIP addressKEEP_NULLSKeep-AliveKharoshthiLockFileExManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOther_MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingRIPEMD-160RST_STREAMSHA256-RSASHA384-RSASHA512-RSASaurashtraSet-CookieUser-AgentWSACleanupWSASocketWWSAStartupatomicand8audio/aiffaudio/midiaudio/mpegaudio/waveavx512bf16avx512gfniavx512ifmaavx512vaesavx512vbmiavx512vnnibinary(%d)complex128createtempdebug calldnsapi.dllexitThreadexp masterfloat32nanfloat64nanfont/woff2getsockoptgo-mssqldbgoroutine http_proxyimage/avifimage/jpegimage/webpimpossibleinvalid IPinvalidptrkeep-alivelocal-addrmSpanInUsemultipart-notifyListowner diedprofInsertres binderres masterresumptionrow[%d] %sruntime: gs.state = scan errorschedtracesemacquireset-cookiesetsockoptskipping: smallmoneystackLarget.Kind == tracefree(tracegc()
Source: Bearfoos.A!ml' in file 'trvservice.exeString found in binary or memory: C:/Program Files/Go/src/net/addrselect.go
Source: C:\Users\user\Desktop\Bearfoos.A!ml' in file 'trvservice.exeFile opened: C:\Windows\system32\59635b8381018d6246a30475d71275ea908c85859a9855f7c46450b8bfa791dbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
Source: classification engineClassification label: clean2.winEXE@2/0@0/0
Source: unknownProcess created: C:\Users\user\Desktop\Bearfoos.A!ml' in file 'trvservice.exe C:\Users\user\Desktop\Bearfoos.A!ml' in file 'trvservice.exe
Source: C:\Users\user\Desktop\Bearfoos.A!ml' in file 'trvservice.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6156:120:WilError_01
Source: Bearfoos.A!ml' in file 'trvservice.exeStatic file information: File size 8675840 > 1048576
Source: Bearfoos.A!ml' in file 'trvservice.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: Bearfoos.A!ml' in file 'trvservice.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x28fa00
Source: Bearfoos.A!ml' in file 'trvservice.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x31e800
Source: Bearfoos.A!ml' in file 'trvservice.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Bearfoos.A!ml' in file 'trvservice.exeStatic PE information: section name: /4
Source: Bearfoos.A!ml' in file 'trvservice.exeStatic PE information: section name: /19
Source: Bearfoos.A!ml' in file 'trvservice.exeStatic PE information: section name: /32
Source: Bearfoos.A!ml' in file 'trvservice.exeStatic PE information: section name: /46
Source: Bearfoos.A!ml' in file 'trvservice.exeStatic PE information: section name: /65
Source: Bearfoos.A!ml' in file 'trvservice.exeStatic PE information: section name: /78
Source: Bearfoos.A!ml' in file 'trvservice.exeStatic PE information: section name: /90
Source: Bearfoos.A!ml' in file 'trvservice.exeStatic PE information: section name: .symtab
Source: C:\Users\user\Desktop\Bearfoos.A!ml' in file 'trvservice.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Bearfoos.A!ml' in file 'trvservice.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: Bearfoos.A!ml' in file 'trvservice.exe, 00000000.00000002.641443279.00000207CC8F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2
Command and Scripting Interpreter
Path Interception1
Process Injection
1
Software Packing
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Process Injection
LSASS Memory1
System Information Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1301509 Sample: Bearfoos.A!ml' in file 'trv... Startdate: 01/09/2023 Architecture: WINDOWS Score: 2 5 Bearfoos.A!ml' in file 'trvservice.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox Version:38.0.0 Beryl
Analysis ID:1301509
Start date and time:2023-09-01 11:15:25 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 31s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:16
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample file name:Bearfoos.A!ml' in file 'trvservice.exe
(renamed file extension from exe' to exe, renamed because original name is a hash value)
Original Sample Name:Bearfoos.A!ml' in file 'trvservice.exe'
Detection:CLEAN
Classification:clean2.winEXE@2/0@0/0
EGA Information:Failed
HDC Information:
  • Successful, ratio: 100% (good quality ratio 100%)
  • Quality average: 79.7%
  • Quality standard deviation: 24.6%
HCA Information:Failed
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, tse1.mm.bing.net, ctldl.windowsupdate.com, g.bing.com, arc.msn.com
  • Execution Graph export aborted for target Bearfoos.A!ml' in file 'trvservice.exe, PID 7128 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: Bearfoos.A!ml' in file 'trvservice.exe
No simulations
No context
No context
No context
No context
No context
No created / dropped files found
File type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):6.709490119488056
TrID:
  • Win64 Executable (generic) (12005/4) 74.95%
  • Generic Win/DOS Executable (2004/3) 12.51%
  • DOS Executable Generic (2002/1) 12.50%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:Bearfoos.A!ml' in file 'trvservice.exe
File size:8'675'840 bytes
MD5:e5e7244199424d67a7c9a00869aa640a
SHA1:e7f197c527989c73df00a5e1e44b61a6cdd838d0
SHA256:3ada30c76adacbbf2b15677641fcbdd94fdf162f600878f09aeedfff48be0e06
SHA512:511c6cbb54becb883ae62974805a1c9639860d114f5ed8395d1499ddf01ec9ee2e246d8c375db6918159db2ab760ce0d79626189ef63da8286f84648b4ee686f
SSDEEP:98304:w3ba/iW06gNgpcE3M0YhN6E01LIvl9Q875U+Kqry6jXi4b:Iiog73M0Y2V1MN6875PlXi4
TLSH:A2968D47FC8555A4D6EEE230C6358252BA71BC880B3037D32B61F7B92A73BD46A79350
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........~.......".......(..........o........@...........................................`... ............................
Icon Hash:90cececece8e8eb0
Entrypoint:0x466fa0
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:f0ea7b7844bbc5bfa9bb32efdcea957c
Instruction
jmp 00007F98F8664340h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
dec eax
sub esp, 30h
dec ecx
mov ebp, ecx
dec ecx
mov edi, eax
dec eax
mov edx, dword ptr [005DF43Bh]
dec eax
mov edx, dword ptr [edx]
dec eax
cmp edx, 00000000h
jne 00007F98F8667FAEh
dec eax
mov eax, 00000000h
jmp 00007F98F8668073h
dec eax
mov edx, dword ptr [edx]
dec eax
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x8430000x490.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x8440000xb0e8.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x5b02a00x148.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x28f8bc0x28fa00unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x2910000x31e6180x31e800unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x5b00000x9d0300x40600False0.38848983616504856data5.118060162796478IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
/40x64e0000x1270x200False0.6171875data5.097874074212899IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/190x64f0000x6cd720x6ce00False0.9997084888059702data7.996872075546988IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/320x6bc0000x160190x16200False0.9942730402542372data7.9451631215906575IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/460x6d30000x300x200False0.103515625data0.8556848540171443IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/650x6d40000xb89a90xb8a00False0.9992118737305349data7.997951108061727IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/780x78d0000x904540x90600False0.9895968614718614data7.994922853982185IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/900x81e0000x245740x24600False0.9740858569587629data7.807643467235927IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata0x8430000x4900x600False0.3372395833333333data3.613712925284703IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc0x8440000xb0e80xb200False0.2615212429775281data5.440317243838136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab0x8500000x5b0170x5b200False0.2264821244855967data5.388707315887706IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
DLLImport
kernel32.dllWriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler
No network behavior found

Click to jump to process

Click to jump to process

  • File
  • Network

Click to dive into process behavior distribution

Target ID:0
Start time:11:16:19
Start date:01/09/2023
Path:C:\Users\user\Desktop\Bearfoos.A!ml' in file 'trvservice.exe
Wow64 process (32bit):false
Commandline:C:\Users\user\Desktop\Bearfoos.A!ml' in file 'trvservice.exe
Imagebase:0xcf0000
File size:8'675'840 bytes
MD5 hash:E5E7244199424D67A7C9A00869AA640A
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Go lang
Reputation:low
Has exited:false

Target ID:1
Start time:11:16:19
Start date:01/09/2023
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff766460000
File size:625'664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

No disassembly