Analysis
-
max time kernel
300s -
max time network
305s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 17:34
Static task
static1
Behavioral task
behavioral1
Sample
ctvhost.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
ctvhost.exe
Resource
win10v2004-20221111-en
General
-
Target
ctvhost.exe
-
Size
950KB
-
MD5
400e6840d7481c535d4dd1cf118f128f
-
SHA1
ce7b34e004cd85769405d55f2fdd5562f91b9811
-
SHA256
d7072b1ca3dae32f46c5044acb5f4ada760fbca463d9295db43f30d52d6bc364
-
SHA512
858ef64ce1d40013fc026790f2a5767c9284c9f7bfca58f4d3db6e61070893fda4ea05e01115ecbc92a36178f6c54be3c97e1a75fc7ad372113b041ef5d676d0
-
SSDEEP
12288:1XHYsZ1DX/VDJtV7w974FzDxIh/LOj5dBgb2yHNrciAlFebwuZHyRA1x09:VHYkzMLQdO9N9fpn09
Malware Config
Signatures
-
Contains code to disable Windows Defender 8 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/1052-63-0x0000000000400000-0x0000000000458000-memory.dmp disable_win_def behavioral1/memory/1052-64-0x0000000000400000-0x0000000000458000-memory.dmp disable_win_def behavioral1/memory/1052-65-0x0000000000400000-0x0000000000458000-memory.dmp disable_win_def behavioral1/memory/1052-66-0x0000000000453C6E-mapping.dmp disable_win_def behavioral1/memory/1052-68-0x0000000000400000-0x0000000000458000-memory.dmp disable_win_def behavioral1/memory/1052-70-0x0000000000400000-0x0000000000458000-memory.dmp disable_win_def behavioral1/memory/1044-92-0x0000000000453C6E-mapping.dmp disable_win_def behavioral1/memory/516-106-0x0000000000453C6E-mapping.dmp disable_win_def -
Processes:
ctvhost.exeCTvHost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection ctvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ctvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" CTvHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" CTvHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" CTvHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ctvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ctvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ctvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" CTvHost.exe -
Modifies security service 2 TTPs 4 IoCs
Processes:
CTvHost.exectvhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Start = "4" CTvHost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" ctvhost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Start = "4" ctvhost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" CTvHost.exe -
Quasar payload 8 IoCs
Processes:
resource yara_rule behavioral1/memory/1052-63-0x0000000000400000-0x0000000000458000-memory.dmp family_quasar behavioral1/memory/1052-64-0x0000000000400000-0x0000000000458000-memory.dmp family_quasar behavioral1/memory/1052-65-0x0000000000400000-0x0000000000458000-memory.dmp family_quasar behavioral1/memory/1052-66-0x0000000000453C6E-mapping.dmp family_quasar behavioral1/memory/1052-68-0x0000000000400000-0x0000000000458000-memory.dmp family_quasar behavioral1/memory/1052-70-0x0000000000400000-0x0000000000458000-memory.dmp family_quasar behavioral1/memory/1044-92-0x0000000000453C6E-mapping.dmp family_quasar behavioral1/memory/516-106-0x0000000000453C6E-mapping.dmp family_quasar -
Processes:
ctvhost.exeCTvHost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ctvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ctvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ctvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" CTvHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" CTvHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" CTvHost.exe -
Processes:
ctvhost.exeCTvHost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1" ctvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1" CTvHost.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 4 IoCs
Processes:
CTvHost.exeCTvHost.exeCTvHost.exeCTvHost.exepid process 1676 CTvHost.exe 1044 CTvHost.exe 920 CTvHost.exe 516 CTvHost.exe -
Loads dropped DLL 2 IoCs
Processes:
ctvhost.exepid process 1052 ctvhost.exe 1052 ctvhost.exe -
Processes:
CTvHost.exectvhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1" CTvHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features ctvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" ctvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1" ctvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1" ctvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" CTvHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1" CTvHost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
CTvHost.exectvhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OfficeTelemetryAgentsHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chromecs\\CTvHost.exe\"" CTvHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeTelemetryAgentsHost = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ctvhost.exe\"" ctvhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OfficeTelemetryAgentsHost = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ctvhost.exe\"" ctvhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeTelemetryAgentsHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chromecs\\CTvHost.exe\"" CTvHost.exe -
Processes:
ctvhost.exeCTvHost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ctvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ctvhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CTvHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" CTvHost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ip-api.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ctvhost.exeCTvHost.exeCTvHost.exedescription pid process target process PID 1760 set thread context of 1052 1760 ctvhost.exe ctvhost.exe PID 1676 set thread context of 1044 1676 CTvHost.exe CTvHost.exe PID 920 set thread context of 516 920 CTvHost.exe CTvHost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1260 schtasks.exe 1812 schtasks.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1660 vssadmin.exe 1272 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 580 powershell.exe 620 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
ctvhost.exevssvc.exepowershell.exepowershell.exeCTvHost.exedescription pid process Token: SeDebugPrivilege 1052 ctvhost.exe Token: SeBackupPrivilege 1972 vssvc.exe Token: SeRestorePrivilege 1972 vssvc.exe Token: SeAuditPrivilege 1972 vssvc.exe Token: SeDebugPrivilege 580 powershell.exe Token: SeDebugPrivilege 620 powershell.exe Token: SeDebugPrivilege 516 CTvHost.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
ctvhost.exectvhost.exeCTvHost.exetaskeng.exeCTvHost.exedescription pid process target process PID 1760 wrote to memory of 1052 1760 ctvhost.exe ctvhost.exe PID 1760 wrote to memory of 1052 1760 ctvhost.exe ctvhost.exe PID 1760 wrote to memory of 1052 1760 ctvhost.exe ctvhost.exe PID 1760 wrote to memory of 1052 1760 ctvhost.exe ctvhost.exe PID 1760 wrote to memory of 1052 1760 ctvhost.exe ctvhost.exe PID 1760 wrote to memory of 1052 1760 ctvhost.exe ctvhost.exe PID 1760 wrote to memory of 1052 1760 ctvhost.exe ctvhost.exe PID 1760 wrote to memory of 1052 1760 ctvhost.exe ctvhost.exe PID 1760 wrote to memory of 1052 1760 ctvhost.exe ctvhost.exe PID 1052 wrote to memory of 1260 1052 ctvhost.exe schtasks.exe PID 1052 wrote to memory of 1260 1052 ctvhost.exe schtasks.exe PID 1052 wrote to memory of 1260 1052 ctvhost.exe schtasks.exe PID 1052 wrote to memory of 1260 1052 ctvhost.exe schtasks.exe PID 1052 wrote to memory of 964 1052 ctvhost.exe schtasks.exe PID 1052 wrote to memory of 964 1052 ctvhost.exe schtasks.exe PID 1052 wrote to memory of 964 1052 ctvhost.exe schtasks.exe PID 1052 wrote to memory of 964 1052 ctvhost.exe schtasks.exe PID 1052 wrote to memory of 1660 1052 ctvhost.exe vssadmin.exe PID 1052 wrote to memory of 1660 1052 ctvhost.exe vssadmin.exe PID 1052 wrote to memory of 1660 1052 ctvhost.exe vssadmin.exe PID 1052 wrote to memory of 1660 1052 ctvhost.exe vssadmin.exe PID 1052 wrote to memory of 580 1052 ctvhost.exe powershell.exe PID 1052 wrote to memory of 580 1052 ctvhost.exe powershell.exe PID 1052 wrote to memory of 580 1052 ctvhost.exe powershell.exe PID 1052 wrote to memory of 580 1052 ctvhost.exe powershell.exe PID 1052 wrote to memory of 1676 1052 ctvhost.exe CTvHost.exe PID 1052 wrote to memory of 1676 1052 ctvhost.exe CTvHost.exe PID 1052 wrote to memory of 1676 1052 ctvhost.exe CTvHost.exe PID 1052 wrote to memory of 1676 1052 ctvhost.exe CTvHost.exe PID 1676 wrote to memory of 1044 1676 CTvHost.exe CTvHost.exe PID 1676 wrote to memory of 1044 1676 CTvHost.exe CTvHost.exe PID 1676 wrote to memory of 1044 1676 CTvHost.exe CTvHost.exe PID 1676 wrote to memory of 1044 1676 CTvHost.exe CTvHost.exe PID 1676 wrote to memory of 1044 1676 CTvHost.exe CTvHost.exe PID 1676 wrote to memory of 1044 1676 CTvHost.exe CTvHost.exe PID 1676 wrote to memory of 1044 1676 CTvHost.exe CTvHost.exe PID 1676 wrote to memory of 1044 1676 CTvHost.exe CTvHost.exe PID 1676 wrote to memory of 1044 1676 CTvHost.exe CTvHost.exe PID 1808 wrote to memory of 920 1808 taskeng.exe CTvHost.exe PID 1808 wrote to memory of 920 1808 taskeng.exe CTvHost.exe PID 1808 wrote to memory of 920 1808 taskeng.exe CTvHost.exe PID 1808 wrote to memory of 920 1808 taskeng.exe CTvHost.exe PID 920 wrote to memory of 516 920 CTvHost.exe CTvHost.exe PID 920 wrote to memory of 516 920 CTvHost.exe CTvHost.exe PID 920 wrote to memory of 516 920 CTvHost.exe CTvHost.exe PID 920 wrote to memory of 516 920 CTvHost.exe CTvHost.exe PID 920 wrote to memory of 516 920 CTvHost.exe CTvHost.exe PID 920 wrote to memory of 516 920 CTvHost.exe CTvHost.exe PID 920 wrote to memory of 516 920 CTvHost.exe CTvHost.exe PID 920 wrote to memory of 516 920 CTvHost.exe CTvHost.exe PID 920 wrote to memory of 516 920 CTvHost.exe CTvHost.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
CTvHost.exectvhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" CTvHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" CTvHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ctvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ctvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ctvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" CTvHost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ctvhost.exe"C:\Users\Admin\AppData\Local\Temp\ctvhost.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ctvhost.exe"C:\Users\Admin\AppData\Local\Temp\ctvhost.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "\Microsoft\Windows\System\Lev80\Files\OfficeTelemetryAgentsHost" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Local\Temp\ctvhost.exe" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /delete /tn "OfficeTelemetryAgentsHost" /f3⤵
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe"C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe"C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "\Microsoft\Windows\System\Lev80\Files\OfficeTelemetryAgentsHost" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe" /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /delete /tn "OfficeTelemetryAgentsHost" /f5⤵
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin" delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {FFC0F677-CA2C-436E-BE9A-898B7F5CCE45} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exeC:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe"C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exeFilesize
950KB
MD5400e6840d7481c535d4dd1cf118f128f
SHA1ce7b34e004cd85769405d55f2fdd5562f91b9811
SHA256d7072b1ca3dae32f46c5044acb5f4ada760fbca463d9295db43f30d52d6bc364
SHA512858ef64ce1d40013fc026790f2a5767c9284c9f7bfca58f4d3db6e61070893fda4ea05e01115ecbc92a36178f6c54be3c97e1a75fc7ad372113b041ef5d676d0
-
C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exeFilesize
950KB
MD5400e6840d7481c535d4dd1cf118f128f
SHA1ce7b34e004cd85769405d55f2fdd5562f91b9811
SHA256d7072b1ca3dae32f46c5044acb5f4ada760fbca463d9295db43f30d52d6bc364
SHA512858ef64ce1d40013fc026790f2a5767c9284c9f7bfca58f4d3db6e61070893fda4ea05e01115ecbc92a36178f6c54be3c97e1a75fc7ad372113b041ef5d676d0
-
C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exeFilesize
950KB
MD5400e6840d7481c535d4dd1cf118f128f
SHA1ce7b34e004cd85769405d55f2fdd5562f91b9811
SHA256d7072b1ca3dae32f46c5044acb5f4ada760fbca463d9295db43f30d52d6bc364
SHA512858ef64ce1d40013fc026790f2a5767c9284c9f7bfca58f4d3db6e61070893fda4ea05e01115ecbc92a36178f6c54be3c97e1a75fc7ad372113b041ef5d676d0
-
C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exeFilesize
950KB
MD5400e6840d7481c535d4dd1cf118f128f
SHA1ce7b34e004cd85769405d55f2fdd5562f91b9811
SHA256d7072b1ca3dae32f46c5044acb5f4ada760fbca463d9295db43f30d52d6bc364
SHA512858ef64ce1d40013fc026790f2a5767c9284c9f7bfca58f4d3db6e61070893fda4ea05e01115ecbc92a36178f6c54be3c97e1a75fc7ad372113b041ef5d676d0
-
C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exeFilesize
950KB
MD5400e6840d7481c535d4dd1cf118f128f
SHA1ce7b34e004cd85769405d55f2fdd5562f91b9811
SHA256d7072b1ca3dae32f46c5044acb5f4ada760fbca463d9295db43f30d52d6bc364
SHA512858ef64ce1d40013fc026790f2a5767c9284c9f7bfca58f4d3db6e61070893fda4ea05e01115ecbc92a36178f6c54be3c97e1a75fc7ad372113b041ef5d676d0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5f443f411868ba24cc547a8a2c30a9e4d
SHA1697c23e71e6ab5effd3617261b031b9554695249
SHA256161e4a10edbb6e899efb500c669dcf3fcb20ca85849961c22ade27d9ac49686b
SHA51290b49bd3dc3afe6c06d53306e938265a145bcdb05a65f5c947903a4b9512be2b740647eae5c23026a726c95644547be935c201dc6bcf6bff9412c9f83ca9391b
-
\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exeFilesize
950KB
MD5400e6840d7481c535d4dd1cf118f128f
SHA1ce7b34e004cd85769405d55f2fdd5562f91b9811
SHA256d7072b1ca3dae32f46c5044acb5f4ada760fbca463d9295db43f30d52d6bc364
SHA512858ef64ce1d40013fc026790f2a5767c9284c9f7bfca58f4d3db6e61070893fda4ea05e01115ecbc92a36178f6c54be3c97e1a75fc7ad372113b041ef5d676d0
-
\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exeFilesize
950KB
MD5400e6840d7481c535d4dd1cf118f128f
SHA1ce7b34e004cd85769405d55f2fdd5562f91b9811
SHA256d7072b1ca3dae32f46c5044acb5f4ada760fbca463d9295db43f30d52d6bc364
SHA512858ef64ce1d40013fc026790f2a5767c9284c9f7bfca58f4d3db6e61070893fda4ea05e01115ecbc92a36178f6c54be3c97e1a75fc7ad372113b041ef5d676d0
-
memory/516-106-0x0000000000453C6E-mapping.dmp
-
memory/580-75-0x0000000000000000-mapping.dmp
-
memory/580-78-0x000000006E5B0000-0x000000006EB5B000-memory.dmpFilesize
5.7MB
-
memory/580-77-0x000000006E5B0000-0x000000006EB5B000-memory.dmpFilesize
5.7MB
-
memory/620-96-0x000000006E000000-0x000000006E5AB000-memory.dmpFilesize
5.7MB
-
memory/920-97-0x0000000000000000-mapping.dmp
-
memory/964-73-0x0000000000000000-mapping.dmp
-
memory/1044-92-0x0000000000453C6E-mapping.dmp
-
memory/1052-63-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1052-61-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1052-70-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1052-68-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1052-60-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1052-66-0x0000000000453C6E-mapping.dmp
-
memory/1052-65-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1052-64-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1260-72-0x0000000000000000-mapping.dmp
-
memory/1660-74-0x0000000000000000-mapping.dmp
-
memory/1676-84-0x0000000001060000-0x0000000001154000-memory.dmpFilesize
976KB
-
memory/1676-81-0x0000000000000000-mapping.dmp
-
memory/1760-54-0x0000000000B00000-0x0000000000BF4000-memory.dmpFilesize
976KB
-
memory/1760-59-0x0000000005870000-0x00000000058CA000-memory.dmpFilesize
360KB
-
memory/1760-58-0x0000000007CA0000-0x0000000007D30000-memory.dmpFilesize
576KB
-
memory/1760-57-0x0000000000290000-0x000000000029C000-memory.dmpFilesize
48KB
-
memory/1760-56-0x0000000000590000-0x00000000005A8000-memory.dmpFilesize
96KB
-
memory/1760-55-0x0000000075931000-0x0000000075933000-memory.dmpFilesize
8KB