quasar | d7072b1ca3dae32f46c5044acb5f4ada760fbca463d9295db43f30d52d6bc364

General

Target

ctvhost.exe
Size

950KB
MD5

400e6840d7481c535d4dd1cf118f128f
SHA1

ce7b34e004cd85769405d55f2fdd5562f91b9811
SHA256

d7072b1ca3dae32f46c5044acb5f4ada760fbca463d9295db43f30d52d6bc364
SHA512

858ef64ce1d40013fc026790f2a5767c9284c9f7bfca58f4d3db6e61070893fda4ea05e01115ecbc92a36178f6c54be3c97e1a75fc7ad372113b041ef5d676d0
SSDEEP

12288:1XHYsZ1DX/VDJtV7w974FzDxIh/LOj5dBgb2yHNrciAlFebwuZHyRA1x09:VHYkzMLQdO9N9fpn09

Score

10^/10

quasar evasion persistence spyware trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/5044-139-0x0000000000400000-0x0000000000458000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 9 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

CTvHost.exectvhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	CTvHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	CTvHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	CTvHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	CTvHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	ctvhost.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

ctvhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinDefend\Start = "4"	ctvhost.exe

Quasar RAT 3 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

ctvhost.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root ctvhost.exe
71 ip-api.com
107 api.ipify.org

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root	ctvhost.exe
71	ip-api.com
107	api.ipify.org

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5044-139-0x0000000000400000-0x0000000000458000-memory.dmp	family_quasar

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

CTvHost.exectvhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	CTvHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	CTvHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	CTvHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ctvhost.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

CTvHost.exectvhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "1"	CTvHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "1"	ctvhost.exe

Executes dropped EXE 2 IoCs

Processes:

CTvHost.exeCTvHost.exe

pid process

1196 CTvHost.exe
1240 CTvHost.exe

pid	process
1196	CTvHost.exe
1240	CTvHost.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ctvhost.exeCTvHost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	CTvHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "1"	CTvHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1"	CTvHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "1"	ctvhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ctvhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeTelemetryAgentsHost = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ctvhost.exe\""	ctvhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OfficeTelemetryAgentsHost = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ctvhost.exe\""	ctvhost.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ctvhost.exeCTvHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ctvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CTvHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	CTvHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

71 ip-api.com
107 api.ipify.org

flow	ioc
71	ip-api.com
107	api.ipify.org

Suspicious use of SetThreadContext 3 IoCs

Processes:

ctvhost.exectvhost.exeCTvHost.exe

description	pid	process	target process
PID 1660 set thread context of 5044	1660	ctvhost.exe	ctvhost.exe
PID 2952 set thread context of 4016	2952	ctvhost.exe	ctvhost.exe
PID 1196 set thread context of 1240	1196	CTvHost.exe	CTvHost.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

364 schtasks.exe
3672 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ctvhost.exepowershell.exepowershell.exe

pid process

1660 ctvhost.exe
1660 ctvhost.exe
1048 powershell.exe
1048 powershell.exe
1396 powershell.exe
1396 powershell.exe

pid	process
364	schtasks.exe
3672	schtasks.exe

pid	process
1660	ctvhost.exe
1660	ctvhost.exe
1048	powershell.exe
1048	powershell.exe
1396	powershell.exe
1396	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

ctvhost.exectvhost.exepowershell.exectvhost.exeCTvHost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1660	ctvhost.exe
Token: SeDebugPrivilege	5044	ctvhost.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	4016	ctvhost.exe
Token: SeDebugPrivilege	1240	CTvHost.exe
Token: SeDebugPrivilege	1396	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

ctvhost.exectvhost.exectvhost.exeCTvHost.exeCTvHost.exe

description	pid	process	target process
PID 1660 wrote to memory of 5024	1660	ctvhost.exe	ctvhost.exe
PID 1660 wrote to memory of 5024	1660	ctvhost.exe	ctvhost.exe
PID 1660 wrote to memory of 5024	1660	ctvhost.exe	ctvhost.exe
PID 1660 wrote to memory of 5044	1660	ctvhost.exe	ctvhost.exe
PID 1660 wrote to memory of 5044	1660	ctvhost.exe	ctvhost.exe
PID 1660 wrote to memory of 5044	1660	ctvhost.exe	ctvhost.exe
PID 1660 wrote to memory of 5044	1660	ctvhost.exe	ctvhost.exe
PID 1660 wrote to memory of 5044	1660	ctvhost.exe	ctvhost.exe
PID 1660 wrote to memory of 5044	1660	ctvhost.exe	ctvhost.exe
PID 1660 wrote to memory of 5044	1660	ctvhost.exe	ctvhost.exe
PID 1660 wrote to memory of 5044	1660	ctvhost.exe	ctvhost.exe
PID 5044 wrote to memory of 364	5044	ctvhost.exe	schtasks.exe
PID 5044 wrote to memory of 364	5044	ctvhost.exe	schtasks.exe
PID 5044 wrote to memory of 364	5044	ctvhost.exe	schtasks.exe
PID 5044 wrote to memory of 2816	5044	ctvhost.exe	schtasks.exe
PID 5044 wrote to memory of 2816	5044	ctvhost.exe	schtasks.exe
PID 5044 wrote to memory of 2816	5044	ctvhost.exe	schtasks.exe
PID 5044 wrote to memory of 1048	5044	ctvhost.exe	powershell.exe
PID 5044 wrote to memory of 1048	5044	ctvhost.exe	powershell.exe
PID 5044 wrote to memory of 1048	5044	ctvhost.exe	powershell.exe
PID 5044 wrote to memory of 1196	5044	ctvhost.exe	CTvHost.exe
PID 5044 wrote to memory of 1196	5044	ctvhost.exe	CTvHost.exe
PID 5044 wrote to memory of 1196	5044	ctvhost.exe	CTvHost.exe
PID 2952 wrote to memory of 4016	2952	ctvhost.exe	ctvhost.exe
PID 2952 wrote to memory of 4016	2952	ctvhost.exe	ctvhost.exe
PID 2952 wrote to memory of 4016	2952	ctvhost.exe	ctvhost.exe
PID 2952 wrote to memory of 4016	2952	ctvhost.exe	ctvhost.exe
PID 2952 wrote to memory of 4016	2952	ctvhost.exe	ctvhost.exe
PID 2952 wrote to memory of 4016	2952	ctvhost.exe	ctvhost.exe
PID 2952 wrote to memory of 4016	2952	ctvhost.exe	ctvhost.exe
PID 2952 wrote to memory of 4016	2952	ctvhost.exe	ctvhost.exe
PID 1196 wrote to memory of 1240	1196	CTvHost.exe	CTvHost.exe
PID 1196 wrote to memory of 1240	1196	CTvHost.exe	CTvHost.exe
PID 1196 wrote to memory of 1240	1196	CTvHost.exe	CTvHost.exe
PID 1196 wrote to memory of 1240	1196	CTvHost.exe	CTvHost.exe
PID 1196 wrote to memory of 1240	1196	CTvHost.exe	CTvHost.exe
PID 1196 wrote to memory of 1240	1196	CTvHost.exe	CTvHost.exe
PID 1196 wrote to memory of 1240	1196	CTvHost.exe	CTvHost.exe
PID 1196 wrote to memory of 1240	1196	CTvHost.exe	CTvHost.exe
PID 1240 wrote to memory of 3672	1240	CTvHost.exe	schtasks.exe
PID 1240 wrote to memory of 3672	1240	CTvHost.exe	schtasks.exe
PID 1240 wrote to memory of 3672	1240	CTvHost.exe	schtasks.exe
PID 1240 wrote to memory of 3400	1240	CTvHost.exe	schtasks.exe
PID 1240 wrote to memory of 3400	1240	CTvHost.exe	schtasks.exe
PID 1240 wrote to memory of 3400	1240	CTvHost.exe	schtasks.exe
PID 1240 wrote to memory of 1396	1240	CTvHost.exe	powershell.exe
PID 1240 wrote to memory of 1396	1240	CTvHost.exe	powershell.exe
PID 1240 wrote to memory of 1396	1240	CTvHost.exe	powershell.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

CTvHost.exectvhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	CTvHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	CTvHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ctvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	CTvHost.exe

C:\Users\Admin\AppData\Local\Temp\ctvhost.exe
"C:\Users\Admin\AppData\Local\Temp\ctvhost.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\Local\Temp\ctvhost.exe
"C:\Users\Admin\AppData\Local\Temp\ctvhost.exe"
2⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\ctvhost.exe
"C:\Users\Admin\AppData\Local\Temp\ctvhost.exe"
2⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- Quasar RAT
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5044

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "\Microsoft\Windows\System\Lev80\Files\OfficeTelemetryAgentsHost" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Local\Temp\ctvhost.exe" /f
3⤵
- Creates scheduled task(s)
PID:364

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /delete /tn "OfficeTelemetryAgentsHost" /f
3⤵
PID:2816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe
"C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe
"C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe"
4⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1240

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "\Microsoft\Windows\System\Lev80\Files\OfficeTelemetryAgentsHost" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe" /f
5⤵
- Creates scheduled task(s)
PID:3672

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /delete /tn "OfficeTelemetryAgentsHost" /f
5⤵
PID:3400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Users\Admin\AppData\Local\Temp\ctvhost.exe
C:\Users\Admin\AppData\Local\Temp\ctvhost.exe
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2952

C:\Users\Admin\AppData\Local\Temp\ctvhost.exe
"C:\Users\Admin\AppData\Local\Temp\ctvhost.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Bypass User Account Control

1

T1088

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

7

T1112

Disabling Security Tools

4

T1089

Bypass User Account Control

1

T1088

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ctvhost.exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
aad5ffcdd011396c0e4adb38cf5d5e63

SHA1
00e50ad502da679636a094068d1fc6b65d818831

SHA256
5063d51f39b24c8cc7491c849553a1e88ada53c16bbd0f30d995913e6dd8acdc

SHA512
4c6748e620311444e56e654184753800fddfc3ae995c6e2a180804f2cab763498bf9ffcfc20dd862d7d4838b4759f0bc10d31bb4244be3183ba99ee0f2bb0bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\settings.xml
Filesize
125B

MD5
e4ccd574efd7f0dc39ddf05812076c15

SHA1
3f0c9dcf1582521b12246c5dead3019d648721e2

SHA256
b5d465cfb5577e8a60e591195b6037ddf0fea9388c2ea74ad186948ac2cf6da5

SHA512
f32ebf2bdf76611e576fc53ef4c0f4b03fa16565317b33b7f1b5343029a7c397dd83dafa123067d12dcc5f900cf2524134f4d25eee1afbcd699f678a451eaa21

Download Submit
C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe
Filesize
950KB

MD5
400e6840d7481c535d4dd1cf118f128f

SHA1
ce7b34e004cd85769405d55f2fdd5562f91b9811

SHA256
d7072b1ca3dae32f46c5044acb5f4ada760fbca463d9295db43f30d52d6bc364

SHA512
858ef64ce1d40013fc026790f2a5767c9284c9f7bfca58f4d3db6e61070893fda4ea05e01115ecbc92a36178f6c54be3c97e1a75fc7ad372113b041ef5d676d0

Download Submit
C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe
Filesize
950KB

MD5
400e6840d7481c535d4dd1cf118f128f

SHA1
ce7b34e004cd85769405d55f2fdd5562f91b9811

SHA256
d7072b1ca3dae32f46c5044acb5f4ada760fbca463d9295db43f30d52d6bc364

SHA512
858ef64ce1d40013fc026790f2a5767c9284c9f7bfca58f4d3db6e61070893fda4ea05e01115ecbc92a36178f6c54be3c97e1a75fc7ad372113b041ef5d676d0

Download Submit
C:\Users\Admin\AppData\Roaming\Chromecs\CTvHost.exe
Filesize
950KB

MD5
400e6840d7481c535d4dd1cf118f128f

SHA1
ce7b34e004cd85769405d55f2fdd5562f91b9811

SHA256
d7072b1ca3dae32f46c5044acb5f4ada760fbca463d9295db43f30d52d6bc364

SHA512
858ef64ce1d40013fc026790f2a5767c9284c9f7bfca58f4d3db6e61070893fda4ea05e01115ecbc92a36178f6c54be3c97e1a75fc7ad372113b041ef5d676d0

Download Submit
memory/364-143-0x0000000000000000-mapping.dmp

Download
memory/1048-152-0x000000006F7B0000-0x000000006F7FC000-memory.dmp

Filesize
304KB

Download
memory/1048-158-0x00000000060F0000-0x00000000060FE000-memory.dmp

Filesize
56KB

Download
memory/1048-160-0x0000000007220000-0x0000000007228000-memory.dmp

Filesize
32KB

Download
memory/1048-159-0x0000000007240000-0x000000000725A000-memory.dmp

Filesize
104KB

Download
memory/1048-145-0x0000000000000000-mapping.dmp

Download
memory/1048-146-0x0000000002370000-0x00000000023A6000-memory.dmp

Filesize
216KB

Download
memory/1048-147-0x0000000004E50000-0x0000000005478000-memory.dmp

Filesize
6.2MB

Download
memory/1048-148-0x0000000004CB0000-0x0000000004CD2000-memory.dmp

Filesize
136KB

Download
memory/1048-149-0x0000000004D50000-0x0000000004DB6000-memory.dmp

Filesize
408KB

Download
memory/1048-150-0x0000000005B00000-0x0000000005B1E000-memory.dmp

Filesize
120KB

Download
memory/1048-151-0x0000000004CE0000-0x0000000004D12000-memory.dmp

Filesize
200KB

Download
memory/1048-157-0x0000000007180000-0x0000000007216000-memory.dmp

Filesize
600KB

Download
memory/1048-153-0x0000000006200000-0x000000000621E000-memory.dmp

Filesize
120KB

Download
memory/1048-154-0x0000000007590000-0x0000000007C0A000-memory.dmp

Filesize
6.5MB

Download
memory/1048-155-0x00000000062A0000-0x00000000062BA000-memory.dmp

Filesize
104KB

Download
memory/1048-156-0x0000000006F70000-0x0000000006F7A000-memory.dmp

Filesize
40KB

Download
memory/1196-161-0x0000000000000000-mapping.dmp

Download
memory/1240-166-0x0000000000000000-mapping.dmp

Download
memory/1240-170-0x0000000006E50000-0x0000000006E8C000-memory.dmp

Filesize
240KB

Download
memory/1396-173-0x0000000000000000-mapping.dmp

Download
memory/1660-133-0x0000000006110000-0x00000000066B4000-memory.dmp

Filesize
5.6MB

Download
memory/1660-136-0x0000000009400000-0x000000000949C000-memory.dmp

Filesize
624KB

Download
memory/1660-134-0x0000000005A00000-0x0000000005A92000-memory.dmp

Filesize
584KB

Download
memory/1660-135-0x0000000003560000-0x000000000356A000-memory.dmp

Filesize
40KB

Download
memory/1660-132-0x0000000000F30000-0x0000000001024000-memory.dmp

Filesize
976KB

Download
memory/2816-144-0x0000000000000000-mapping.dmp

Download
memory/3400-172-0x0000000000000000-mapping.dmp

Download
memory/3672-171-0x0000000000000000-mapping.dmp

Download
memory/4016-164-0x0000000000000000-mapping.dmp

Download
memory/5024-137-0x0000000000000000-mapping.dmp

Download
memory/5044-138-0x0000000000000000-mapping.dmp

Download
memory/5044-139-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5044-141-0x0000000006A50000-0x0000000006AB6000-memory.dmp

Filesize
408KB

Download
memory/5044-142-0x0000000006D60000-0x0000000006D72000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads