quasar | d7072b1ca3dae32f46c5044acb5f4ada760fbca463d9295db43f30d52d6bc364

Analysis

max time kernel
300s
max time network
305s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ctvhost.exe
Size

950KB
MD5

400e6840d7481c535d4dd1cf118f128f
SHA1

ce7b34e004cd85769405d55f2fdd5562f91b9811
SHA256

d7072b1ca3dae32f46c5044acb5f4ada760fbca463d9295db43f30d52d6bc364
SHA512

858ef64ce1d40013fc026790f2a5767c9284c9f7bfca58f4d3db6e61070893fda4ea05e01115ecbc92a36178f6c54be3c97e1a75fc7ad372113b041ef5d676d0
SSDEEP

12288:1XHYsZ1DX/VDJtV7w974FzDxIh/LOj5dBgb2yHNrciAlFebwuZHyRA1x09:VHYkzMLQdO9N9fpn09

Score

10^/10

quasar evasion persistence ransomware spyware trojan

Malware Config

Signatures

Contains code to disable Windows Defender 8 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/1052-63-0x0000000000400000-0x0000000000458000-memory.dmp	disable_win_def
behavioral1/memory/1052-64-0x0000000000400000-0x0000000000458000-memory.dmp	disable_win_def
behavioral1/memory/1052-65-0x0000000000400000-0x0000000000458000-memory.dmp	disable_win_def
behavioral1/memory/1052-66-0x0000000000453C6E-mapping.dmp	disable_win_def
behavioral1/memory/1052-68-0x0000000000400000-0x0000000000458000-memory.dmp	disable_win_def
behavioral1/memory/1052-70-0x0000000000400000-0x0000000000458000-memory.dmp	disable_win_def
behavioral1/memory/1044-92-0x0000000000453C6E-mapping.dmp	disable_win_def
behavioral1/memory/516-106-0x0000000000453C6E-mapping.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 9 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

ctvhost.exeCTvHost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	CTvHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	CTvHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	CTvHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	CTvHost.exe

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

CTvHost.exectvhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Start = "4"	CTvHost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Start = "4"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	CTvHost.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1052-63-0x0000000000400000-0x0000000000458000-memory.dmp	family_quasar
behavioral1/memory/1052-64-0x0000000000400000-0x0000000000458000-memory.dmp	family_quasar
behavioral1/memory/1052-65-0x0000000000400000-0x0000000000458000-memory.dmp	family_quasar
behavioral1/memory/1052-66-0x0000000000453C6E-mapping.dmp	family_quasar
behavioral1/memory/1052-68-0x0000000000400000-0x0000000000458000-memory.dmp	family_quasar
behavioral1/memory/1052-70-0x0000000000400000-0x0000000000458000-memory.dmp	family_quasar
behavioral1/memory/1044-92-0x0000000000453C6E-mapping.dmp	family_quasar
behavioral1/memory/516-106-0x0000000000453C6E-mapping.dmp	family_quasar

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ctvhost.exeCTvHost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	CTvHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	CTvHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	CTvHost.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ctvhost.exeCTvHost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1"	CTvHost.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 4 IoCs

Processes:

CTvHost.exeCTvHost.exeCTvHost.exeCTvHost.exe

pid process

1676 CTvHost.exe
1044 CTvHost.exe
920 CTvHost.exe
516 CTvHost.exe
Loads dropped DLL 2 IoCs

Processes:

ctvhost.exe

pid process

1052 ctvhost.exe
1052 ctvhost.exe

pid	process
1676	CTvHost.exe
1044	CTvHost.exe
920	CTvHost.exe
516	CTvHost.exe

pid	process
1052	ctvhost.exe
1052	ctvhost.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

CTvHost.exectvhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1"	CTvHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	CTvHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1"	CTvHost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CTvHost.exectvhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OfficeTelemetryAgentsHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chromecs\\CTvHost.exe\""	CTvHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeTelemetryAgentsHost = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ctvhost.exe\""	ctvhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OfficeTelemetryAgentsHost = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ctvhost.exe\""	ctvhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeTelemetryAgentsHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chromecs\\CTvHost.exe\""	CTvHost.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ctvhost.exeCTvHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ctvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CTvHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	CTvHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com

flow	ioc
6	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

ctvhost.exeCTvHost.exeCTvHost.exe

description	pid	process	target process
PID 1760 set thread context of 1052	1760	ctvhost.exe	ctvhost.exe
PID 1676 set thread context of 1044	1676	CTvHost.exe	CTvHost.exe
PID 920 set thread context of 516	920	CTvHost.exe	CTvHost.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1260 schtasks.exe
1812 schtasks.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1660 vssadmin.exe
1272 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

580 powershell.exe
620 powershell.exe

pid	process
1260	schtasks.exe
1812	schtasks.exe

pid	process
1660	vssadmin.exe
1272	vssadmin.exe

pid	process
580	powershell.exe
620	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

ctvhost.exevssvc.exepowershell.exepowershell.exeCTvHost.exe

description	pid	process
Token: SeDebugPrivilege	1052	ctvhost.exe
Token: SeBackupPrivilege	1972	vssvc.exe
Token: SeRestorePrivilege	1972	vssvc.exe
Token: SeAuditPrivilege	1972	vssvc.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	516	CTvHost.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

ctvhost.exectvhost.exeCTvHost.exetaskeng.exeCTvHost.exe

description	pid	process	target process
PID 1760 wrote to memory of 1052	1760	ctvhost.exe	ctvhost.exe
PID 1760 wrote to memory of 1052	1760	ctvhost.exe	ctvhost.exe
PID 1760 wrote to memory of 1052	1760	ctvhost.exe	ctvhost.exe
PID 1760 wrote to memory of 1052	1760	ctvhost.exe	ctvhost.exe
PID 1760 wrote to memory of 1052	1760	ctvhost.exe	ctvhost.exe
PID 1760 wrote to memory of 1052	1760	ctvhost.exe	ctvhost.exe
PID 1760 wrote to memory of 1052	1760	ctvhost.exe	ctvhost.exe
PID 1760 wrote to memory of 1052	1760	ctvhost.exe	ctvhost.exe
PID 1760 wrote to memory of 1052	1760	ctvhost.exe	ctvhost.exe
PID 1052 wrote to memory of 1260	1052	ctvhost.exe	schtasks.exe
PID 1052 wrote to memory of 1260	1052	ctvhost.exe	schtasks.exe
PID 1052 wrote to memory of 1260	1052	ctvhost.exe	schtasks.exe
PID 1052 wrote to memory of 1260	1052	ctvhost.exe	schtasks.exe
PID 1052 wrote to memory of 964	1052	ctvhost.exe	schtasks.exe
PID 1052 wrote to memory of 964	1052	ctvhost.exe	schtasks.exe
PID 1052 wrote to memory of 964	1052	ctvhost.exe	schtasks.exe
PID 1052 wrote to memory of 964	1052	ctvhost.exe	schtasks.exe
PID 1052 wrote to memory of 1660	1052	ctvhost.exe	vssadmin.exe
PID 1052 wrote to memory of 1660	1052	ctvhost.exe	vssadmin.exe
PID 1052 wrote to memory of 1660	1052	ctvhost.exe	vssadmin.exe
PID 1052 wrote to memory of 1660	1052	ctvhost.exe	vssadmin.exe
PID 1052 wrote to memory of 580	1052	ctvhost.exe	powershell.exe
PID 1052 wrote to memory of 580	1052	ctvhost.exe	powershell.exe
PID 1052 wrote to memory of 580	1052	ctvhost.exe	powershell.exe
PID 1052 wrote to memory of 580	1052	ctvhost.exe	powershell.exe
PID 1052 wrote to memory of 1676	1052	ctvhost.exe	CTvHost.exe
PID 1052 wrote to memory of 1676	1052	ctvhost.exe	CTvHost.exe
PID 1052 wrote to memory of 1676	1052	ctvhost.exe	CTvHost.exe
PID 1052 wrote to memory of 1676	1052	ctvhost.exe	CTvHost.exe
PID 1676 wrote to memory of 1044	1676	CTvHost.exe	CTvHost.exe
PID 1676 wrote to memory of 1044	1676	CTvHost.exe	CTvHost.exe
PID 1676 wrote to memory of 1044	1676	CTvHost.exe	CTvHost.exe
PID 1676 wrote to memory of 1044	1676	CTvHost.exe	CTvHost.exe
PID 1676 wrote to memory of 1044	1676	CTvHost.exe	CTvHost.exe
PID 1676 wrote to memory of 1044	1676	CTvHost.exe	CTvHost.exe
PID 1676 wrote to memory of 1044	1676	CTvHost.exe	CTvHost.exe
PID 1676 wrote to memory of 1044	1676	CTvHost.exe	CTvHost.exe
PID 1676 wrote to memory of 1044	1676	CTvHost.exe	CTvHost.exe
PID 1808 wrote to memory of 920	1808	taskeng.exe	CTvHost.exe
PID 1808 wrote to memory of 920	1808	taskeng.exe	CTvHost.exe
PID 1808 wrote to memory of 920	1808	taskeng.exe	CTvHost.exe
PID 1808 wrote to memory of 920	1808	taskeng.exe	CTvHost.exe
PID 920 wrote to memory of 516	920	CTvHost.exe	CTvHost.exe
PID 920 wrote to memory of 516	920	CTvHost.exe	CTvHost.exe
PID 920 wrote to memory of 516	920	CTvHost.exe	CTvHost.exe
PID 920 wrote to memory of 516	920	CTvHost.exe	CTvHost.exe
PID 920 wrote to memory of 516	920	CTvHost.exe	CTvHost.exe
PID 920 wrote to memory of 516	920	CTvHost.exe	CTvHost.exe
PID 920 wrote to memory of 516	920	CTvHost.exe	CTvHost.exe
PID 920 wrote to memory of 516	920	CTvHost.exe	CTvHost.exe
PID 920 wrote to memory of 516	920	CTvHost.exe	CTvHost.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

CTvHost.exectvhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	CTvHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	CTvHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	CTvHost.exe

C:\Users\Admin\AppData\Local\Temp\ctvhost.exe
"C:\Users\Admin\AppData\Local\Temp\ctvhost.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\ctvhost.exe
"C:\Users\Admin\AppData\Local\Temp\ctvhost.exe"
2⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1052

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "\Microsoft\Windows\System\Lev80\Files\OfficeTelemetryAgentsHost" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Local\Temp\ctvhost.exe" /f
3⤵
- Creates scheduled task(s)
PID:1260

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /delete /tn "OfficeTelemetryAgentsHost" /f
3⤵
PID:964

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin" delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe
"C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe
"C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe"
4⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- System policy modification
PID:1044

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "\Microsoft\Windows\System\Lev80\Files\OfficeTelemetryAgentsHost" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe" /f
5⤵
- Creates scheduled task(s)
PID:1812

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /delete /tn "OfficeTelemetryAgentsHost" /f
5⤵
PID:1332

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin" delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:1272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\system32\taskeng.exe
taskeng.exe {FFC0F677-CA2C-436E-BE9A-898B7F5CCE45} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe
C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:920

C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe
"C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Bypass User Account Control

T1088

File Deletion

T1107

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe
Filesize
950KB

MD5
400e6840d7481c535d4dd1cf118f128f

SHA1
ce7b34e004cd85769405d55f2fdd5562f91b9811

SHA256
d7072b1ca3dae32f46c5044acb5f4ada760fbca463d9295db43f30d52d6bc364

SHA512
858ef64ce1d40013fc026790f2a5767c9284c9f7bfca58f4d3db6e61070893fda4ea05e01115ecbc92a36178f6c54be3c97e1a75fc7ad372113b041ef5d676d0

Download Submit
C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe
Filesize
950KB

MD5
400e6840d7481c535d4dd1cf118f128f

SHA1
ce7b34e004cd85769405d55f2fdd5562f91b9811

SHA256
d7072b1ca3dae32f46c5044acb5f4ada760fbca463d9295db43f30d52d6bc364

SHA512
858ef64ce1d40013fc026790f2a5767c9284c9f7bfca58f4d3db6e61070893fda4ea05e01115ecbc92a36178f6c54be3c97e1a75fc7ad372113b041ef5d676d0

Download Submit
C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe
Filesize
950KB

MD5
400e6840d7481c535d4dd1cf118f128f

SHA1
ce7b34e004cd85769405d55f2fdd5562f91b9811

SHA256
d7072b1ca3dae32f46c5044acb5f4ada760fbca463d9295db43f30d52d6bc364

SHA512
858ef64ce1d40013fc026790f2a5767c9284c9f7bfca58f4d3db6e61070893fda4ea05e01115ecbc92a36178f6c54be3c97e1a75fc7ad372113b041ef5d676d0

Download Submit
C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe
Filesize
950KB

MD5
400e6840d7481c535d4dd1cf118f128f

SHA1
ce7b34e004cd85769405d55f2fdd5562f91b9811

SHA256
d7072b1ca3dae32f46c5044acb5f4ada760fbca463d9295db43f30d52d6bc364

SHA512
858ef64ce1d40013fc026790f2a5767c9284c9f7bfca58f4d3db6e61070893fda4ea05e01115ecbc92a36178f6c54be3c97e1a75fc7ad372113b041ef5d676d0

Download Submit
C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe
Filesize
950KB

MD5
400e6840d7481c535d4dd1cf118f128f

SHA1
ce7b34e004cd85769405d55f2fdd5562f91b9811

SHA256
d7072b1ca3dae32f46c5044acb5f4ada760fbca463d9295db43f30d52d6bc364

SHA512
858ef64ce1d40013fc026790f2a5767c9284c9f7bfca58f4d3db6e61070893fda4ea05e01115ecbc92a36178f6c54be3c97e1a75fc7ad372113b041ef5d676d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
f443f411868ba24cc547a8a2c30a9e4d

SHA1
697c23e71e6ab5effd3617261b031b9554695249

SHA256
161e4a10edbb6e899efb500c669dcf3fcb20ca85849961c22ade27d9ac49686b

SHA512
90b49bd3dc3afe6c06d53306e938265a145bcdb05a65f5c947903a4b9512be2b740647eae5c23026a726c95644547be935c201dc6bcf6bff9412c9f83ca9391b

Download Submit
\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe
Filesize
950KB

MD5
400e6840d7481c535d4dd1cf118f128f

SHA1
ce7b34e004cd85769405d55f2fdd5562f91b9811

SHA256
d7072b1ca3dae32f46c5044acb5f4ada760fbca463d9295db43f30d52d6bc364

SHA512
858ef64ce1d40013fc026790f2a5767c9284c9f7bfca58f4d3db6e61070893fda4ea05e01115ecbc92a36178f6c54be3c97e1a75fc7ad372113b041ef5d676d0

Download Submit
\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe
Filesize
950KB

MD5
400e6840d7481c535d4dd1cf118f128f

SHA1
ce7b34e004cd85769405d55f2fdd5562f91b9811

SHA256
d7072b1ca3dae32f46c5044acb5f4ada760fbca463d9295db43f30d52d6bc364

SHA512
858ef64ce1d40013fc026790f2a5767c9284c9f7bfca58f4d3db6e61070893fda4ea05e01115ecbc92a36178f6c54be3c97e1a75fc7ad372113b041ef5d676d0

Download Submit
memory/516-106-0x0000000000453C6E-mapping.dmp

Download
memory/580-75-0x0000000000000000-mapping.dmp

Download
memory/580-78-0x000000006E5B0000-0x000000006EB5B000-memory.dmp

Filesize
5.7MB

Download
memory/580-77-0x000000006E5B0000-0x000000006EB5B000-memory.dmp

Filesize
5.7MB

Download
memory/620-96-0x000000006E000000-0x000000006E5AB000-memory.dmp

Filesize
5.7MB

Download
memory/920-97-0x0000000000000000-mapping.dmp

Download
memory/964-73-0x0000000000000000-mapping.dmp

Download
memory/1044-92-0x0000000000453C6E-mapping.dmp

Download
memory/1052-63-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1052-61-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1052-70-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1052-68-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1052-60-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1052-66-0x0000000000453C6E-mapping.dmp

Download
memory/1052-65-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1052-64-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1260-72-0x0000000000000000-mapping.dmp

Download
memory/1660-74-0x0000000000000000-mapping.dmp

Download
memory/1676-84-0x0000000001060000-0x0000000001154000-memory.dmp

Filesize
976KB

Download
memory/1676-81-0x0000000000000000-mapping.dmp

Download
memory/1760-54-0x0000000000B00000-0x0000000000BF4000-memory.dmp

Filesize
976KB

Download
memory/1760-59-0x0000000005870000-0x00000000058CA000-memory.dmp

Filesize
360KB

Download
memory/1760-58-0x0000000007CA0000-0x0000000007D30000-memory.dmp

Filesize
576KB

Download
memory/1760-57-0x0000000000290000-0x000000000029C000-memory.dmp

Filesize
48KB

Download
memory/1760-56-0x0000000000590000-0x00000000005A8000-memory.dmp

Filesize
96KB

Download
memory/1760-55-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download