04a484c01214c519221232364f1b99e4aff0761a6fe9c2cfcbf0c84a246a1689

Analysis

max time kernel
136s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2024 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bc877ccdae6e341b8a3ef1e3507be67_JaffaCakes118.exe
Size

2.3MB
MD5

1bc877ccdae6e341b8a3ef1e3507be67
SHA1

1ed2c9ee14e3a4192bba9e4d0fe29524108cd23f
SHA256

04a484c01214c519221232364f1b99e4aff0761a6fe9c2cfcbf0c84a246a1689
SHA512

d4a91366ea7a12a1dab839db45a33ebad96324a3c1dccb2b2bd6e6115c9dd5888d44637aae675c64600b73aff30683dac1acd00a16b3da333943b7337c75e97c
SSDEEP

49152:537DPQNxWCWMpiwy1rA91zjbb7aaM429BNgFH2LM:53nPQnW4tyS1zjn7aaM4CrgcLM

Score

7^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SpecialSavings.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	SpecialSavings.exe

Executes dropped EXE 6 IoCs

Processes:

SpecialSavings.exeBackgroundHost.exeBackgroundHost64.exeinstall_helper.exechrome_install.exeinstall_helper.exe

pid process

1824 SpecialSavings.exe
1200 BackgroundHost.exe
1664 BackgroundHost64.exe
3672 install_helper.exe
4944 chrome_install.exe
3620 install_helper.exe

Loads dropped DLL 10 IoCs

Processes:

SpecialSavings.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe1bc877ccdae6e341b8a3ef1e3507be67_JaffaCakes118.exe

pid	process
1824	SpecialSavings.exe
2224	regsvr32.exe
5004	regsvr32.exe
2876	regsvr32.exe
1824	SpecialSavings.exe
1824	SpecialSavings.exe
4292	regsvr32.exe
3084	regsvr32.exe
2236	regsvr32.exe
2036	1bc877ccdae6e341b8a3ef1e3507be67_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regsvr32.exeBackgroundHost64.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4EC06F7F-2290-4D9E-8D24-54CE42766B04}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C718BDD4-197A-4A23-B539-EB3B3A2B0C09}\LocalServer32	BackgroundHost64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C718BDD4-197A-4A23-B539-EB3B3A2B0C09}\LocalServer32\ = "\"C:\\Program Files (x86)\\specialsavings\\BackgroundHost64.exe\""	BackgroundHost64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4EC06F7F-2290-4D9E-8D24-54CE42766B04}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4EC06F7F-2290-4D9E-8D24-54CE42766B04}\InprocServer32\ = "C:\\Program Files (x86)\\specialsavings\\ButtonSite64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4EC06F7F-2290-4D9E-8D24-54CE42766B04}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

Processes:

chrome_install.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfcpnihmbfoaeoakalclfalkdepgiaje\2.0.0.1\manifest.json	chrome_install.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{938958E8-355C-49FF-92B0-53C1B87ACEA9}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{938958E8-355C-49FF-92B0-53C1B87ACEA9}	regsvr32.exe

Drops file in Program Files directory 21 IoCs

Processes:

SpecialSavings.exe1bc877ccdae6e341b8a3ef1e3507be67_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\specialsavings\BackgroundHostPS.dll	SpecialSavings.exe
File created	C:\Program Files (x86)\specialsavings\ButtonSite.dll	SpecialSavings.exe
File created	C:\Program Files (x86)\specialsavings\ScriptHost.dll	SpecialSavings.exe
File created	C:\Program Files (x86)\specialsavings\background.html	SpecialSavings.exe
File created	C:\Program Files (x86)\specialsavings\json2.min.js	SpecialSavings.exe
File created	C:\Program Files (x86)\specialsavings\mz\background.js	SpecialSavings.exe
File created	C:\Program Files (x86)\specialsavings\BackgroundHost.exe	SpecialSavings.exe
File created	C:\Program Files (x86)\specialsavings\icon48.png	SpecialSavings.exe
File created	C:\Program Files (x86)\specialsavings\updater.js	SpecialSavings.exe
File created	C:\Program Files (x86)\specialsavings\icon128.png	SpecialSavings.exe
File created	C:\Program Files (x86)\specialsavings\BackgroundHost64.exe	SpecialSavings.exe
File created	C:\Program Files (x86)\specialsavings\config.xml	SpecialSavings.exe
File created	C:\Program Files (x86)\specialsavings\content.js	SpecialSavings.exe
File created	C:\Program Files (x86)\specialsavings\updaterWrapper.js	SpecialSavings.exe
File created	C:\Program Files (x86)\specialsavings\mz\content.js	SpecialSavings.exe
File created	C:\Program Files (x86)\specialsavings\uninstall.exe	SpecialSavings.exe
File created	C:\Program Files (x86)\specialsavings\AddonsFramework.Typelib.dll	SpecialSavings.exe
File created	C:\Program Files (x86)\specialsavings\icon16.png	SpecialSavings.exe
File created	C:\Program Files (x86)\specialsavings\jquery-1.9.1.min.js	SpecialSavings.exe
File created	C:\Program Files (x86)\SpecialSavings\uninst.exe	1bc877ccdae6e341b8a3ef1e3507be67_JaffaCakes118.exe
File created	C:\Program Files (x86)\specialsavings\ButtonSite64.dll	SpecialSavings.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\specialsavings.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\specialsavings.exe	nsis_installer_2

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

4384 taskkill.exe
2292 taskkill.exe
2768 taskkill.exe

pid	process
4384	taskkill.exe
2292	taskkill.exe
2768	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

BackgroundHost64.exeinstall_helper.exeBackgroundHost.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9D4B00EE-F9A9-4780-9E98-51F4C093CE83}	BackgroundHost64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\	BackgroundHost64.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Approved Extensions	install_helper.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{29061ADD-30F3-4dbb-B032-62EDCCDC6355}\Policy = "3"	BackgroundHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{29061ADD-30F3-4dbb-B032-62EDCCDC6355}\AppName = "BackgroundHost.exe"	BackgroundHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD\	BackgroundHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9D4B00EE-F9A9-4780-9E98-51F4C093CE83}\Policy = "3"	BackgroundHost64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD\	BackgroundHost64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD\BackgroundHost.exe = "1"	BackgroundHost64.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER	BackgroundHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software	BackgroundHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\specialsavings	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD\BackgroundHost.exe = "1"	BackgroundHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\specialsavings\elevationPolicyGuidx64 = "{9D4B00EE-F9A9-4780-9E98-51F4C093CE83}"	BackgroundHost64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9D4B00EE-F9A9-4780-9E98-51F4C093CE83}\AppName = "BackgroundHost64.exe"	BackgroundHost64.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\specialsavings	BackgroundHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{29061ADD-30F3-4dbb-B032-62EDCCDC6355}	BackgroundHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{29061ADD-30F3-4dbb-B032-62EDCCDC6355}\AppPath = "C:\\Program Files (x86)\\specialsavings"	BackgroundHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry	BackgroundHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY	BackgroundHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\specialsavings	BackgroundHost64.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000	BackgroundHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\specialsavings\elevationPolicyGuid = "{29061ADD-30F3-4dbb-B032-62EDCCDC6355}"	BackgroundHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\	BackgroundHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\specialsavings	BackgroundHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\specialsavings\installId = "3DB10A14-8A1F-45bf-8684-BA2D099C81A8"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9D4B00EE-F9A9-4780-9E98-51F4C093CE83}\AppPath = "C:\\Program Files (x86)\\specialsavings"	BackgroundHost64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{938958E8-355C-49FF-92B0-53C1B87ACEA9} = 51667a6c4c1d3b1bf844938b636099058abd1481bb398fb6	install_helper.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeBackgroundHost.exeBackgroundHost64.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFE513B-69AD-4C97-A74F-95AB17C9D42C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B9A84AD0-5777-46FD-8B8F-1EBD06750FBC}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56493971-6146-42C3-BFC3-3E4CBB768777}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\specialsavings"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C718BDD4-197A-4A23-B539-EB3B3A2B0C09}\ProgID\ = "specialsavings.BackgroundHostObject.1"	BackgroundHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{562B9317-C08A-444A-9482-62080DD851AE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1995F88-1C7F-40D7-B0FA-6F107F6308B8}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\specialsavings.BackgroundHostObject\CurVer\ = "specialsavings.BackgroundHostObject.1"	BackgroundHost64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EC06F7F-2290-4D9E-8D24-54CE42766B04}\ = "Navbar Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AddonsFramework.DLL\AppID = "{19975B78-1907-4DD6-A437-4C48120F46A4}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4EC06F7F-2290-4D9E-8D24-54CE42766B04}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4A994B0-5550-4680-A4C6-B9470B888069}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{045F91B3-695F-423A-98C7-8DE3C47AA020}\ = "IButton"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C815E3DA-0823-49B0-9270-D1771D58B317}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A49B770D-F83D-40D9-9478-C7DA97736004}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1995F88-1C7F-40D7-B0FA-6F107F6308B8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{43969E3F-3E7C-4911-A8F1-79C6CA6AC731}\TypeLib\Version = "1.0"	BackgroundHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1348BD1B-C32A-41A7-9BD4-5377AA1AB925}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4EC06F7F-2290-4D9E-8D24-54CE42766B04}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43969E3F-3E7C-4911-A8F1-79C6CA6AC731}\TypeLib	BackgroundHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1348BD1B-C32A-41A7-9BD4-5377AA1AB925}\TypeLib\ = "{52F4D3D2-195C-4A46-AEE6-ED2D56BDE1C3}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1440EC3-F0FA-407A-B811-DE6668C06D29}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{045F91B3-695F-423A-98C7-8DE3C47AA020}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\specialsavings.Tool.1\ = "Tool Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A49B770D-F83D-40D9-9478-C7DA97736004}\1.0\0\win32\ = "C:\\Program Files (x86)\\specialsavings\\AddonsFramework.Typelib.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{045F91B3-695F-423A-98C7-8DE3C47AA020}\TypeLib\ = "{A49B770D-F83D-40D9-9478-C7DA97736004}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43B390F0-6BA2-45CA-ABF2-5DB0CEE9B49D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9A84AD0-5777-46FD-8B8F-1EBD06750FBC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C718BDD4-197A-4A23-B539-EB3B3A2B0C09}\VersionIndependentProgID\ = "specialsavings.BackgroundHostObject"	BackgroundHost64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{562B9316-C08A-444A-9482-62080DD851AE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C1995F88-1C7F-40D7-B0FA-6F107F6308B8}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9E52EB8B-8DD9-4605-AD36-D352BCD482F2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{045F91B3-695F-423A-98C7-8DE3C47AA020}\TypeLib\ = "{A49B770D-F83D-40D9-9478-C7DA97736004}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EE95078D-518C-4FD2-8093-FD1D4E33D3CA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C815E3DA-0823-49B0-9270-D1771D58B317}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\specialsavings.Navbar\ = "Navbar Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4EC06F7F-2290-4D9E-8D24-54CE42766B04}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{52F4D3D2-195C-4A46-AEE6-ED2D56BDE1C3}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{19975B78-1907-4DD6-A437-4C48120F46A4}\ = "AddonsFramework"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B9A84AD0-5777-46FD-8B8F-1EBD06750FBC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{43B390F0-6BA2-45CA-ABF2-5DB0CEE9B49D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{52F4D3D2-195C-4A46-AEE6-ED2D56BDE1C3}\1.0\ = "ScriptHost 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{43B390F0-6BA2-45CA-ABF2-5DB0CEE9B49D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{18B9B16E-716F-43DF-A6AD-512C7D2EB983}\ = "BackgroundHost"	BackgroundHost64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EE95078D-518C-4FD2-8093-FD1D4E33D3CA}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ScriptHost.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{43969E3F-3E7C-4911-A8F1-79C6CA6AC731}\ProxyStubClsid32	BackgroundHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\specialsavings.Navbar.1\ = "Navbar Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{43B390F0-6BA2-45CA-ABF2-5DB0CEE9B49D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\specialsavings.ScriptHostObject.1\ = "specialsavings"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\specialsavings.BackgroundHostObject	BackgroundHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9A84AD0-5777-46FD-8B8F-1EBD06750FBC}\ = "IExtension"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EE95078D-518C-4FD2-8093-FD1D4E33D3CA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{52F4D3D2-195C-4A46-AEE6-ED2D56BDE1C3}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1440EC3-F0FA-407A-B811-DE6668C06D29}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{395AFE6E-8308-48DB-89BE-ED5F4AA3D3EC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43B390F0-6BA2-45CA-ABF2-5DB0CEE9B49D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{938958E8-355C-49FF-92B0-53C1B87ACEA9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\specialsavings.Navbar\CurVer\ = "specialsavings.Navbar.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E52EB8B-8DD9-4605-AD36-D352BCD482F2}\ = "IBrowser"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9EB11AB-9384-4736-9B33-993940F88895}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{43B390F0-6BA2-45CA-ABF2-5DB0CEE9B49D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C718BDD4-197A-4A23-B539-EB3B3A2B0C09}\TypeLib\ = "{E0C361C8-1477-45C2-BC83-C1C8C913551F}"	BackgroundHost64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4EC06F7F-2290-4D9E-8D24-54CE42766B04}\ = "Navbar Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFE513B-69AD-4C97-A74F-95AB17C9D42C}\InprocServer32	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome_install.exeinstall_helper.exe

pid process

4944 chrome_install.exe
4944 chrome_install.exe
4944 chrome_install.exe
4944 chrome_install.exe
3620 install_helper.exe
3620 install_helper.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 2292 taskkill.exe
Token: SeDebugPrivilege 2768 taskkill.exe
Token: SeDebugPrivilege 4384 taskkill.exe

pid	process
4944	chrome_install.exe
4944	chrome_install.exe
4944	chrome_install.exe
4944	chrome_install.exe
3620	install_helper.exe
3620	install_helper.exe

description	pid	process
Token: SeDebugPrivilege	2292	taskkill.exe
Token: SeDebugPrivilege	2768	taskkill.exe
Token: SeDebugPrivilege	4384	taskkill.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

1bc877ccdae6e341b8a3ef1e3507be67_JaffaCakes118.exeSpecialSavings.exeregsvr32.exe

description	pid	process	target process
PID 2036 wrote to memory of 1824	2036	1bc877ccdae6e341b8a3ef1e3507be67_JaffaCakes118.exe	SpecialSavings.exe
PID 2036 wrote to memory of 1824	2036	1bc877ccdae6e341b8a3ef1e3507be67_JaffaCakes118.exe	SpecialSavings.exe
PID 2036 wrote to memory of 1824	2036	1bc877ccdae6e341b8a3ef1e3507be67_JaffaCakes118.exe	SpecialSavings.exe
PID 1824 wrote to memory of 4384	1824	SpecialSavings.exe	taskkill.exe
PID 1824 wrote to memory of 4384	1824	SpecialSavings.exe	taskkill.exe
PID 1824 wrote to memory of 4384	1824	SpecialSavings.exe	taskkill.exe
PID 1824 wrote to memory of 2292	1824	SpecialSavings.exe	taskkill.exe
PID 1824 wrote to memory of 2292	1824	SpecialSavings.exe	taskkill.exe
PID 1824 wrote to memory of 2292	1824	SpecialSavings.exe	taskkill.exe
PID 1824 wrote to memory of 2768	1824	SpecialSavings.exe	taskkill.exe
PID 1824 wrote to memory of 2768	1824	SpecialSavings.exe	taskkill.exe
PID 1824 wrote to memory of 2768	1824	SpecialSavings.exe	taskkill.exe
PID 1824 wrote to memory of 1200	1824	SpecialSavings.exe	BackgroundHost.exe
PID 1824 wrote to memory of 1200	1824	SpecialSavings.exe	BackgroundHost.exe
PID 1824 wrote to memory of 1200	1824	SpecialSavings.exe	BackgroundHost.exe
PID 1824 wrote to memory of 2224	1824	SpecialSavings.exe	regsvr32.exe
PID 1824 wrote to memory of 2224	1824	SpecialSavings.exe	regsvr32.exe
PID 1824 wrote to memory of 2224	1824	SpecialSavings.exe	regsvr32.exe
PID 1824 wrote to memory of 5004	1824	SpecialSavings.exe	regsvr32.exe
PID 1824 wrote to memory of 5004	1824	SpecialSavings.exe	regsvr32.exe
PID 1824 wrote to memory of 5004	1824	SpecialSavings.exe	regsvr32.exe
PID 1824 wrote to memory of 2876	1824	SpecialSavings.exe	regsvr32.exe
PID 1824 wrote to memory of 2876	1824	SpecialSavings.exe	regsvr32.exe
PID 1824 wrote to memory of 2876	1824	SpecialSavings.exe	regsvr32.exe
PID 1824 wrote to memory of 1664	1824	SpecialSavings.exe	BackgroundHost64.exe
PID 1824 wrote to memory of 1664	1824	SpecialSavings.exe	BackgroundHost64.exe
PID 1824 wrote to memory of 4292	1824	SpecialSavings.exe	regsvr32.exe
PID 1824 wrote to memory of 4292	1824	SpecialSavings.exe	regsvr32.exe
PID 1824 wrote to memory of 4292	1824	SpecialSavings.exe	regsvr32.exe
PID 4292 wrote to memory of 3084	4292	regsvr32.exe	regsvr32.exe
PID 4292 wrote to memory of 3084	4292	regsvr32.exe	regsvr32.exe
PID 1824 wrote to memory of 2236	1824	SpecialSavings.exe	regsvr32.exe
PID 1824 wrote to memory of 2236	1824	SpecialSavings.exe	regsvr32.exe
PID 1824 wrote to memory of 2236	1824	SpecialSavings.exe	regsvr32.exe
PID 2036 wrote to memory of 3672	2036	1bc877ccdae6e341b8a3ef1e3507be67_JaffaCakes118.exe	install_helper.exe
PID 2036 wrote to memory of 3672	2036	1bc877ccdae6e341b8a3ef1e3507be67_JaffaCakes118.exe	install_helper.exe
PID 2036 wrote to memory of 3672	2036	1bc877ccdae6e341b8a3ef1e3507be67_JaffaCakes118.exe	install_helper.exe
PID 2036 wrote to memory of 4944	2036	1bc877ccdae6e341b8a3ef1e3507be67_JaffaCakes118.exe	chrome_install.exe
PID 2036 wrote to memory of 4944	2036	1bc877ccdae6e341b8a3ef1e3507be67_JaffaCakes118.exe	chrome_install.exe
PID 2036 wrote to memory of 4944	2036	1bc877ccdae6e341b8a3ef1e3507be67_JaffaCakes118.exe	chrome_install.exe
PID 2036 wrote to memory of 3620	2036	1bc877ccdae6e341b8a3ef1e3507be67_JaffaCakes118.exe	install_helper.exe
PID 2036 wrote to memory of 3620	2036	1bc877ccdae6e341b8a3ef1e3507be67_JaffaCakes118.exe	install_helper.exe
PID 2036 wrote to memory of 3620	2036	1bc877ccdae6e341b8a3ef1e3507be67_JaffaCakes118.exe	install_helper.exe

C:\Users\Admin\AppData\Local\Temp\1bc877ccdae6e341b8a3ef1e3507be67_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1bc877ccdae6e341b8a3ef1e3507be67_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\SpecialSavings.exe
SpecialSavings.exe /S
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /F /IM PropertySync.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /F /IM BackgroundHost.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /F /IM BackgroundHost64.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Program Files (x86)\specialsavings\BackgroundHost.exe
"C:\Program Files (x86)\specialsavings\BackgroundHost.exe" /RegServer
3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies registry class
PID:1200

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32 /s "C:\Program Files (x86)\specialsavings\ScriptHost.dll"
3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:2224

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32 /s "C:\Program Files (x86)\specialsavings\ButtonSite.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:5004

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32 /s "C:\Program Files (x86)\specialsavings\AddonsFramework.Typelib.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:2876

C:\Program Files (x86)\specialsavings\BackgroundHost64.exe
"C:\Program Files (x86)\specialsavings\BackgroundHost64.exe" /RegServer
3⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies Internet Explorer settings
- Modifies registry class
PID:1664

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32 /s "C:\Program Files (x86)\specialsavings\ButtonSite64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\specialsavings\ButtonSite64.dll"
4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:3084

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32 /s "C:\Program Files (x86)\specialsavings\AddonsFramework.Typelib.dll"
3⤵
- Loads dropped DLL
PID:2236

C:\Users\Admin\AppData\Local\Temp\install_helper.exe
install_helper.exe {938958E8-355C-49FF-92B0-53C1B87ACEA9}
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:3672

C:\Users\Admin\AppData\Roaming\SpecialSavings\chrome_install.exe
chrome_install.exe "C:\Users\Admin\AppData\Roaming\SpecialSavings\SpecialSavings.crx" bfcpnihmbfoaeoakalclfalkdepgiaje
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Suspicious behavior: EnumeratesProcesses
PID:4944

C:\Users\Admin\AppData\Local\Temp\install_helper.exe
install_helper.exe "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/oawm14wc.Admin\Extensions\[email protected]\install.rdf" app-profile
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\specialsavings\AddonsFramework.Typelib.dll

Filesize
84KB

MD5
58ab9bc3bf635dc862b100f7da59ba0c

SHA1
7894830cc3d6ecab6b1d761059ce61b61a813feb

SHA256
58530b53c1b036a15976268e8781977a6e1afceb86730eca1a90903a0a73bef2

SHA512
4f04c472d456a987bbc87402d74a4c8d450da9490272c5a581e77f7d682dcd14c1d8044c74e4873e0ee2da668143c61a9af6b4ed753c4599ef769c050cbde133

Download Submit
C:\Program Files (x86)\specialsavings\BackgroundHost.exe

Filesize
584KB

MD5
25f435f4e776fdfb50e0cb13b9137599

SHA1
e8790b8bf00263f80c8d70b331a6e8a636397bdd

SHA256
e93d5e99dd6cc97c43012d092516eb581280d4410d9c760432b39920c32180dd

SHA512
ba7e9402696a684168f70c9c09a335a9bc33d4670f9c99f636f3f90c58f6948b6bc7298bd130aade9844c154f4d71f2d710535593eff59e41725bd6908911461

Download Submit
C:\Program Files (x86)\specialsavings\BackgroundHost64.exe

Filesize
447KB

MD5
bc8dbcf85683b26fe92fc641d2fde44d

SHA1
3c38cf077639ea32f0fe47aaabf8e78538857279

SHA256
d78b3249933f4810bf7835b362568a42afeef773a307b964e90ba6d5a09fe372

SHA512
ec7f0197cf1c104e8a92eaaf0134b2cf9cbd15183951d503daf6bd3915e50a42f6812400aaa3270a415f39124b3e9a2115bd301ac292ddabb1476582dda2d1ff

Download Submit
C:\Program Files (x86)\specialsavings\ButtonSite.dll

Filesize
326KB

MD5
b762295d0b9e836ca8136dd502f46853

SHA1
6997ffbf0cd9f1ff50ecc39006fd3f2d9c285fcd

SHA256
967ca12fa5fdfdaae83d0d319ce9f961f1c918bbe6559c158e956c99bb4af527

SHA512
60ad86d7254c583abac5ed24996b04f4b84c51ee85e9866b8c7a3d74f72732d01a6471a3297bfc12107141872d0b89dd2222860ff3892bd2a42c002eb9380b63

Download Submit
C:\Program Files (x86)\specialsavings\ButtonSite64.dll

Filesize
323KB

MD5
44498e8954a87d0b5cd2e3f83307e531

SHA1
161576502bfecc87888e8a709575ca897673790d

SHA256
4801d103997383998ef128217938b786e7e645f2353ccc5a419ec4907877bd8a

SHA512
dfb6d046edb6236629c1a2d4d69be373ed60b8e1e4855cad415badf5fac0657b5ab24a591dc831158a491c586229b7065b064bd9d1c0e68c2969002a8b4adc0e

Download Submit
C:\Program Files (x86)\specialsavings\ScriptHost.dll

Filesize
373KB

MD5
816bdea9ac91c88c7b1f374c7e5a74c8

SHA1
532967fe6e5c86600ba9d585f40595df49a71507

SHA256
4f0cb78047456f9fe345303a32f9bc6d2b16ef2e7241e9868d83ba480c26d89f

SHA512
45e10a9ca34192e31ac0ccd04739cb490316a7932031212a95322bbe74e298f3a7ff8c89ddd2c3eb135b7d4f374cfcf7b3b9a6fde437c3b22e21db327d6d4d70

Download Submit
C:\Program Files (x86)\specialsavings\config.xml

Filesize
794B

MD5
ee2f25dc37dd6751c2a461a2221211ca

SHA1
c964f8fe9744c66aca98332958d4901af2c90eeb

SHA256
f5b8e26bb93ca1f9030b3f840e92df2a0508adbd69b7c464fa3bf1aaec5cda64

SHA512
dd7f0cc8bee45b23b401c6fe78830f7b144c43a0275a33cf8e5f805dc47237d7476ab8ea702190f83fdb5ca011d8b165046dcbfd37cda4539fc1210a8e816bcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfcpnihmbfoaeoakalclfalkdepgiaje\2.0.0.1\manifest.json

Filesize
1KB

MD5
0fde1a5a14bd694478d18d554b39ea0f

SHA1
c129151b66d470873bd3af45ac5b68f9c64ef529

SHA256
e28e5c405fe14eb7b221d38616a54a10b30cbcc670568ceafacfefed0eb799c6

SHA512
fa67b69184f320c46be9f69e3846c9f0de4599a51d0a8c91a7587321d1d32c14d52f57edf8110670664b3fde3b418c91ec03ab9090b346709d81bb2a49a67ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\install_helper.exe

Filesize
564KB

MD5
307d74fb9401929ba53200706aa92013

SHA1
1aa7b5436c9b740b986dfea8b6f5826a26e169b4

SHA256
cb77ca5b69283cfbf26e33d8ffb6ca660d73fcd03b76a34be79b03c8e6f523c3

SHA512
641de0fcd91aa4dfecc29c9e96ec974d68c9f5caeb1ababeaae85051999ded2506d87ed3d5e6315394aa65b36d03752a43bf38d085a2ecbb50460cb9b560e4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh329A.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh329A.tmp\UAC.dll

Filesize
13KB

MD5
29858669d7da388d1e62b4fd5337af12

SHA1
756b94898429a9025a04ae227f060952f1149a5f

SHA256
c24c005daa7f5578c4372b38d1be6be5e27ef3ba2cdb9b67fee15cac406eba62

SHA512
6f4d538f2fe0681f357bab73f633943c539ddc1451efa1d1bb76d70bb47aa68a05849e36ae405cc4664598a8194227fa7053de6dbce7d6c52a20301293b3c85f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso379B.tmp\nsisunz.dll

Filesize
88KB

MD5
bd97d86d8bd07ebdc8ec662a3f31dfd5

SHA1
5e2b3a1af5ee53ab6d1d6c2cb8127add39ee7e82

SHA256
c31b590cba443de87f0f4a81712f0883ac3b506f3868759d918d9a81f84ea922

SHA512
4575d1ea0d1b2f74df74cad94eae7fdf31c513e5dc6d945e81e0873b99f94a5d81b1c385c71ab79a19e5bb6c00fc5fffec7a3bbfd60ad7de312cbb53d8bcce9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\specialsavings.exe

Filesize
1013KB

MD5
fa56e0c29bb3375bbcf81afe9c83483c

SHA1
ff902db3d753694cb321a150db87d9fc9b20681b

SHA256
f334a60acf4122dd88458219f26c3baaf014c3ad423133f0a5c67224e2f285ba

SHA512
6889b13480fb69e7cafbcbb601cd43d8aac89fc11f6aad0eb2030d8ddf5f24e43edde410cb1e495763726836708da15cc29d5191e3769e81c9c4740c50d85c20

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oawm14wc.Admin\Extensions\[email protected]\install.rdf

Filesize
1KB

MD5
591e0322cfe525d3e0a1f5f15be55c36

SHA1
308cf6cb9ccc551707b4db65b90ff19b2e0f88bc

SHA256
b69efca1f9a0bdc438dc33d14af4c585b36b10cd4ecd6a1117ab3605a9acb2d5

SHA512
5713536b209a17e5fca61f1521dfbcfc96bc8239085492464c090413e30598d136917f4d178284b5cea706cafe14cc259150b928f832cec5bd339a803b455e37

Download Submit
C:\Users\Admin\AppData\Roaming\SpecialSavings\SpecialSavings.crx

Filesize
69KB

MD5
7329ef72e4ee49990a62c06ab6feb1e6

SHA1
3d2bf52f5d18ed79a90be2079a4b4271c216718a

SHA256
59164dbb8a7dede962f647734b455ad933c31a2f1f3193f5b0e16eb02d08c93e

SHA512
2479c8a12aa2a91a76c018bf7d9b6848026bd5a87a8a53d28ee29b35d5025ca16c4143672c3b9fc6315b4e367d778d545f9013395bea2f26b557b935afbdb53a

Download Submit
C:\Users\Admin\AppData\Roaming\SpecialSavings\chrome_install.exe

Filesize
1.1MB

MD5
0a1dc567bd6b241e4fa7ef27f1eba05a

SHA1
7a5d74e35d161da9c1cda5e062007a96af28bd62

SHA256
0a7691f82e885a2ecca874524da7e605de3a183a153b578c5e936236432b8dc8

SHA512
bab6fa82b167add04fb1f2b2700c87daa9aa0f24269d99eb7996c95f9a040c7c436464d90ca24bd18889be6d884fc4a1dedf16f2784b626731129d3e784394ae

Download Submit

pid	process
1824	SpecialSavings.exe
1200	BackgroundHost.exe
1664	BackgroundHost64.exe
3672	install_helper.exe
4944	chrome_install.exe
3620	install_helper.exe