Malware Analysis Report

2025-03-15 04:37

Sample ID 241027-2hmn5avdlq
Target 7648fe40e71c619b3dd53843e81145a3_JaffaCakes118
SHA256 b0ec1a3337595b0b1c44b50dab3b0f78a180dc2656eac35c64212d941b8df17e
Tags
adware discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b0ec1a3337595b0b1c44b50dab3b0f78a180dc2656eac35c64212d941b8df17e

Threat Level: Shows suspicious behavior

The file 7648fe40e71c619b3dd53843e81145a3_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery persistence spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Installs/modifies Browser Helper Object

Checks installed software on the system

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 22:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 22:35

Reported

2024-10-27 22:37

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2pSetup.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe N/A
N/A N/A C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe N/A
N/A N/A C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe N/A
N/A N/A C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pHighIn.exe N/A
N/A N/A C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pHighIn.exe N/A
N/A N/A C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pHighIn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CouponAlert_2p Browser Plugin Loader = "C:\\PROGRA~2\\COUPON~1\\bar\\1.bin\\2pbrmon.exe" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3a421c8f-e238-4aeb-8874-b8b5f2cc4772} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3a421c8f-e238-4aeb-8874-b8b5f2cc4772}\ C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{60e91567-ef8a-4520-bce2-83aba5256799} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{60e91567-ef8a-4520-bce2-83aba5256799} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{60e91567-ef8a-4520-bce2-83aba5256799} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{60e91567-ef8a-4520-bce2-83aba5256799}\ C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pauxstb.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pradio.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pskin.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\INSTALL.RDF C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\LOGO.BMP C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbar.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phtml.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phtmlmu.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieuser.exe C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\Message\COMMON.T8S C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\Message\COMMON.T8S C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\NP2pStub.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbrstub.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pidle.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pimpipe.exe C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\chrome\2pffxtbr.jar C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbarsvc.exe C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pfeedmg.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phtmlmu.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pmlbtn.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pregiet.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pscript.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdatact.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pmedint.exe C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pradio.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2puabtn.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\LOGO.BMP C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pfeedmg.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pregiet.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbrmon.exe C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phtml.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pmsg.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pPlugin.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2puabtn.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\CHROME.MANIFEST C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\INSTALL.RDF C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pmedint.exe C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pmlbtn.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pskin.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pskplay.exe C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\CHROME.MANIFEST C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbarsvc.exe C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdatact.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdlghk.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\NP2pStub.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pauxstb.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbrmon.exe C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbrstub.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdyn.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phighin.exe C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pidle.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pregfft.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pSrcAs.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbar.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phighin.exe C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pskplay.exe C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2ptpinst.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdlghk.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phttpct.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pregfft.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\Settings\s_pid.dat C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdyn.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phttpct.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pPlugin.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pHighIn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7225f6c9-cf64-4d6d-ae8a-169779fd7b4d}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f99d2ae-5c90-43c2-a2fe-81dbe512e2fc}\AppName = "2pSlSrch.exe" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f99d2ae-5c90-43c2-a2fe-81dbe512e2fc}\AppPath = "C:\\Program Files (x86)\\CouponAlert_2p\\bar\\1.bin" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f99d2ae-5c90-43c2-a2fe-81dbe512e2fc}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2af08e71-3657-462f-898c-f7e791948f94}\AppName = "2pSrchMn.exe" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56965dcf-718f-4148-becf-5a2b466f4556}\AppPath = "C:\\Program Files (x86)\\CouponAlert_2p\\bar\\1.bin" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56965dcf-718f-4148-becf-5a2b466f4556}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7225f6c9-cf64-4d6d-ae8a-169779fd7b4d}\AppPath = "C:\\Program Files (x86)\\CouponAlert_2p\\bar\\1.bin" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16fe2505-f2a0-4782-b035-af0e5188c02c}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\UrlSearchHooks C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56965dcf-718f-4148-becf-5a2b466f4556}\AppName = "2pimpipe.exe" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f99d2ae-5c90-43c2-a2fe-81dbe512e2fc} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2af08e71-3657-462f-898c-f7e791948f94}\AppPath = "C:\\Program Files (x86)\\CouponAlert_2p\\bar\\1.bin" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2af08e71-3657-462f-898c-f7e791948f94}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16fe2505-f2a0-4782-b035-af0e5188c02c}\AppPath = "C:\\Program Files (x86)\\CouponAlert_2p\\bar\\1.bin" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{7b9f8c21-46ec-4c0b-8683-e755ef84577a} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56965dcf-718f-4148-becf-5a2b466f4556} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7225f6c9-cf64-4d6d-ae8a-169779fd7b4d}\AppName = "2pmedint.exe" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2af08e71-3657-462f-898c-f7e791948f94} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16fe2505-f2a0-4782-b035-af0e5188c02c}\AppName = "2pSkPlay.exe" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{3462c343-be19-4143-af70-cefb56f46fc6} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7225f6c9-cf64-4d6d-ae8a-169779fd7b4d} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16fe2505-f2a0-4782-b035-af0e5188c02c} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ebbc4e43-292a-40df-88e3-3262b7521460}\ C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.ThirdPartyInstaller.1 C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2d205adf-c992-4eda-99c3-096e13f38ab4}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7717f4b3-397f-4ce5-9192-6effde3ac999}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60e91567-ef8a-4520-bce2-83aba5256799} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20BCCE5A-C687-46FF-8DD2-AD8235F5F2B4}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.XMLSessionPlugin\CLSID\ = "{c2df3856-676c-41dc-a73b-facbdf8e81e9}" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53CA18E7-5223-4358-9FD9-97C62C66C5BD}\1.0 C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23b0ae65-17d2-4491-98e5-b1aa6228dda2}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F701D7D-C869-41F0-B0E2-8136F02B539C} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D244EAC5-A0F5-4859-A1F8-18ABC0AC3A00}\TypeLib C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.MultipleButton.1\CLSID\ = "{def07acd-bcea-4269-933a-4087d20842bb}" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8AF87C1-0B1E-494B-AAF0-CECC3FFEDF99}\ = "ITemplateXMLElement" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.ScriptButton\CurVer C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{79583DE9-D0C2-44EF-AE0D-CBFA16C2A785} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7b9f8c21-46ec-4c0b-8683-e755ef84577a}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.FeedManager.1\CLSID\ = "{2d205adf-c992-4eda-99c3-096e13f38ab4}" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FF2EBC1C-6579-41DB-91DD-945A1C8DB2D2}\TypeLib\ = "{20BCCE5A-C687-46FF-8DD2-AD8235F5F2B4}" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4116F8C-A634-4536-B9EF-6B9EBCC5BAE1}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.SettingsPlugin\CurVer C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{36A7148B-639E-423C-90BB-30B6E1A40BD7}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92580E8C-88F5-4551-9D9E-8147E7EE2C32}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16fe2505-f2a0-4782-b035-af0e5188c02c}\TypeLib C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.PseudoTransparentPlugin\ = "Pseudo Transparent Plugin" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CA3D0AB-F807-462C-BA7F-E27F07F91E32}\TypeLib C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{004EB151-885B-4A9E-A22D-CA98DD998D75}\ = "_ITemplateBarSettingsEvents" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAFC4DAE-7794-4E16-9A98-F6001303DCD0}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36A7148B-639E-423C-90BB-30B6E1A40BD7}\TypeLib\ = "{7924FD2B-877C-4395-A063-A88AB887EA6D}" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{61DAB0AD-AD23-4E40-84AC-7C6CE64D4EB3}\TypeLib\ = "{53CA18E7-5223-4358-9FD9-97C62C66C5BD}" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{004EB151-885B-4A9E-A22D-CA98DD998D75}\TypeLib\ = "{D7CE22AF-CCB3-423F-84D5-4D77152181F3}" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.FeedManager\CurVer\ = "CouponAlert_2p.FeedManager.1" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D8E17B-312E-4E12-913B-A841A8631143}\TypeLib C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86d02bcf-0e0e-444f-8a8d-2d5c4a9e6578}\InprocServer32\ = "C:\\Program Files (x86)\\CouponAlert_2p\\bar\\1.bin\\2pdyn.dll" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4d8eacbc-e293-4462-b91e-42ea5b54b743}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7717f4b3-397f-4ce5-9192-6effde3ac999}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16fe2505-f2a0-4782-b035-af0e5188c02c}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FF2EBC1C-6579-41DB-91DD-945A1C8DB2D2}\TypeLib C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.XMLSessionPlugin.1 C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8542E415-0E53-4261-8BE4-0D1598229D90}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.DynamicBarButton\ = "Bar Button Class" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0bdf6c42-132c-45f5-92de-dc13f40c6dab}\ = "CouponAlert_2p HTML" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60e91567-ef8a-4520-bce2-83aba5256799}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{004EB151-885B-4A9E-A22D-CA98DD998D75}\ = "_ITemplateBarSettingsEvents" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0F1794F2-900B-4C81-8146-9234E5CC5BE2}\TypeLib C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D244EAC5-A0F5-4859-A1F8-18ABC0AC3A00} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8867ac9b-4426-44a2-a693-c95850d3405c}\MiscStatus\ = "0" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53CA18E7-5223-4358-9FD9-97C62C66C5BD}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.HTMLMenu\CurVer C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6CA3D0AB-F807-462C-BA7F-E27F07F91E32}\ = "It8PseudoTransparent" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8867ac9b-4426-44a2-a693-c95850d3405c}\Control C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16fe2505-f2a0-4782-b035-af0e5188c02c}\MiscStatus C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60FC9013-4A5A-4306-9695-FCE0A6617F22}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.DynamicBarButton.1 C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8AF87C1-0B1E-494B-AAF0-CECC3FFEDF99}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2d205adf-c992-4eda-99c3-096e13f38ab4}\TypeLib C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FF2EBC1C-6579-41DB-91DD-945A1C8DB2D2}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C7E7FB02-C4FD-446E-8F5B-463A049935BF}\1.0 C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.MultipleButton\CurVer C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.ToolbarPlugin.1\ C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23b38049-323f-443d-9732-f454e5b15b72}\MiscStatus\1\ = "131473" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{411b1946-3277-4a7f-9f60-745266360613}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D244EAC5-A0F5-4859-A1F8-18ABC0AC3A00}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cf9d6d4e-5496-438e-ba24-5a580a59f5a3}\TypeLib C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21D9997E-5D2A-4737-BCBA-C958C0590295}\TypeLib C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 804 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe
PID 804 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe
PID 804 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe
PID 804 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe
PID 804 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe
PID 804 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe
PID 804 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe
PID 804 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe
PID 804 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe
PID 804 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe
PID 804 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe
PID 804 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe
PID 804 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe
PID 804 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe
PID 804 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe
PID 804 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe
PID 804 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe
PID 804 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe
PID 804 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe
PID 804 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe
PID 804 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe
PID 804 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pHighIn.exe
PID 804 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pHighIn.exe
PID 804 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pHighIn.exe
PID 804 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pHighIn.exe
PID 804 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pHighIn.exe
PID 804 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pHighIn.exe
PID 804 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pHighIn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2pSetup.exe

"C:\Users\Admin\AppData\Local\Temp\2pSetup.exe"

C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe

"C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe" -remove

C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe

"C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe" -install

C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe

"C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe"

C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe

C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pHighIn.exe

"C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pHighIn.exe" 2ptpinst.dll,#5

Network

N/A

Files

\Program Files (x86)\CouponAlert_2p\bar\1.bin\NP2pStub.dll

MD5 a787e3fbc688c71cf530f951e1629da6
SHA1 dcf03b6bc8b5780f9fafc1f5e008a50e4a1f30db
SHA256 e63fd19af8bdd92476a365dc9b7a0f312c14a2f9595d6788c3700350b36084c7
SHA512 94280e21a65805164be83a234a9918bca190f6ebcb0803203b5611a79b53a3f5f3b05cbb06ad944175e61b9175e1de023c1cef9c11d0f846e69148c2fbb3b983

\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pauxstb.dll

MD5 bef8418e2bb907705989694fa04a4f3a
SHA1 f1acca6a112aab18be7c4a38e3ebb042960d57c0
SHA256 f8dc25c92591c9a921fd367739180b0ddf602f4075d73cd669981bcb1a55cd0a
SHA512 c549c655f29abb91e65a3e445a0a28c65e78c82e6aa7c1fc99de2e5e3d3a2a4bc342e64e5f7c80b33a12b47131b74a537847e2446c632960825cf4fdd7e3e96f

\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbar.dll

MD5 5afbf0822a1353e409b84f406ab6c275
SHA1 b57a215306698751f73a4fec91330aa2739594ea
SHA256 63020f4bb854913dcddeb0b0bd9469751a4861273391127ce041671ffe776dc5
SHA512 bbee841572d868e51a0bb0685da0630a5708c3f444bfb352bd8093c747fa42d1367d99c57c8eed002e2b1db216c1396da1fe3f48eda78390ec6cf11117938ea7

\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe

MD5 c0bebcb3dfc2edb4c296f1802766e1ff
SHA1 42191afd20e6359b4c5678acb96ecb03091d17e5
SHA256 39189db0555c346d801a918f2f4e1c1a11a279123f9c23a984e1de2d7d70c888
SHA512 4ed63a2a792909df0ed07d5c2db2fbd6c14515d3e00c0618b710f4571fb42b91eada8af0d5d260b98f3035f72260fdc59e747470a51bfe75c5bb3b6b4183dddc

\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbrstub.dll

MD5 209d8fffc7ba17b5edf69a558b220f5e
SHA1 3e8e000fff561708b23495ae87bdd4bffb1f9e43
SHA256 56951b5eb91204eda94ae882da53a97a23b9e0accdff44b359a2dae210d10eef
SHA512 9df7533a9daba33c808b3fb40b63741f54619d5f933a40890fae124aecc1439cf3799253512cba50a897c57e1fd15f587449caa8101bf23756e435dd2712f617

\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe

MD5 ba4695385687403aa1820346c88dfa8a
SHA1 e7d0f5a1b1d842341a4f0e863f9280a02d7471d6
SHA256 2b2a045e70225cd04c7596d61e0950f103dc3745483b3b54032e85ea33db3b97
SHA512 942f6a9d5a41036e15d71b7b93a4f0438447c4ebe053e22a4926e5fc13dc912de44df2a203ea0f28a858d7337d7a4bfa4b26127fe5d401d0db76ba0479a87536

\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdatact.dll

MD5 79f32577d7ce7035054e987310187440
SHA1 58416d1488eed6f47ad78a7d0c62b854fe09b895
SHA256 3140555e504168d849baa4d7cdf0f8f7fea2a7806d02dcde39afa8f56c72d6e3
SHA512 d3e00f991fe41b365f3ed39f40babbb8ec8e4932b2e91395f7f5830a31b9cf6d2e1c28ac5c0816f63e874edf389974152de7676333aaec95543c37aea5afa5b5

\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdlghk.dll

MD5 7e8b85dd3007138116d279c014ab070a
SHA1 d6d69499bf74bb3f49b082cfef30ebc28e19454e
SHA256 04f1d61353078eec7174b0dc53ad6307615f5841523be566e935d428c70c3bad
SHA512 342162246f576e85b52c82324f6c520174f21823b8bcdcf52926c56dee313ea7c028f9934f916e6d42d3368a5371ae4e8fb4c9578b02ea32963a4304d2927769

\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdyn.dll

MD5 d10a7cc5638f78f173901891caa0ea5f
SHA1 1d965ff58ad75e94bd00d9a1781a7f7610c1123f
SHA256 92243e4c5b7f4df7491917b78bb09a02f986a7e8e79448e48a8f26eb895396a6
SHA512 12886949d010e89adcfc0d75e2f81bbcc2a8be770be96f1e27ee380c79d1e93d02eed738431c18baa9a9020e732545e5390d02d41237b52c565141585ffa874f

\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pfeedmg.dll

MD5 8d5dfbad16f8a6c928fcbb84c6cda655
SHA1 46d0ac5e455e6b40951b04867aaf21f793e38783
SHA256 bdf16d30334874de3710dc2b37a493a1845d396d96f9c80d67d2c589866f4b71
SHA512 4737730d149fac4e7569ba8ed804cdd1d8c2b347011746901ddaa922331ecf95c80854029490b802099ba8e0aabba5269dad89a0cd481500b425c9c9a751ea74

\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phtml.dll

MD5 dbb37c245084bfa6d149d6490a3def6c
SHA1 46469fd95dcbe9018dd5c20457c6b80f882b06f0
SHA256 b14bee662471d747f7c94a62d45c6426934faeb5a597b2ea092bd621253f45b3
SHA512 904f04fbbcdd50b3e30620c4e4be477a21c0c3639e54651a929daa4e4700f486112edfeba5496213b6c14732a45205581a93bdabbe9ede27c84e6ed31b1d7339

\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phtmlmu.dll

MD5 078142e03762f182c420dcec5bf57522
SHA1 f715f1c82fa9311405cb7d50bb506dd4a08bcfa3
SHA256 9e196cc00408096c7bf61a3bb7615182432b15e9476f86e8e556c7dbeec3597f
SHA512 23a3ad0ab94e064f45f317352beaa615040d74f1fd3a20ef29d8d1e53a2b0cfcec5f359de688185f3695682dc22ef51ba04001d175d016504335acb4e1e889a2

\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phttpct.dll

MD5 64451f703e38ce8ce558916d1b3b298c
SHA1 88278506406f9125daff32f8e8459574fe8f38df
SHA256 9c9c071529d43298873a129c695508edc52a83e528ac0266fc58707faf2e58df
SHA512 559e61be7b7a7d3000e523f6b208805e6908bbfd7fd123b4b869f5ee95337d76fb36e5807a1dcbee3a5379ae9a2f5dbce52be7efbf31c241051c9d9c13af05ca

\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pidle.dll

MD5 3470b060c813074d7ba1e06c019ec03c
SHA1 c388e332081ca424274b92f53429e1ddee8e5775
SHA256 584b0adfb7daf42504cc7a443f031f1463fbe19b63de8334fc8f18acdf3b1865
SHA512 806a2ea5d5b703d4cac8973312da485497c14431b9c1b1a1a9e15f6423215961f1a2d54a429a4aca6f67435f2a3348dea426b86293b46c62af10b7953639bf38

\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pmlbtn.dll

MD5 f807dad358658e35e6f0fea173a6b4cf
SHA1 0fb2d953de4f1cbc548b6e5525580663c1896295
SHA256 b61bc01059e4e9d8dad5a971a071fec40e7b21ee13155de14604da02f997f1bb
SHA512 f2002553b415e92874254d07ba44a20104df027443c93b6df7f8240c18d9218b648b4a02c0545ffd2d92ae8b487b59af21bfac5dda5d3e68b2bbb6f06f7ee2a8

\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pmsg.dll

MD5 196c4d88c7c780fc2dc83393512883de
SHA1 6343f5711789bfb866e18a172828eb7d45606a62
SHA256 ee57dff1e8d60a585c5ee37a52f5c825b75740359fddb5006bb913bb156cadfd
SHA512 be685fa9d87c0b7521176fd6bffa37206d068f4efceafc5996bb5ff2f44d49e451a1ba02a28f30c5a6a0cd79c3ccd22da06e3ab7752dcb2f75ab979f56347e89

\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pPlugin.dll

MD5 c1b14848de571fc85c73c79c80bc1d1a
SHA1 b133d05665047306caa7765db6da69660acaa50d
SHA256 b78b1161f3537108d573df6d695225e27b460e9afdedcdae714ecb99b25d7cdb
SHA512 e52478f47841b393d7f917349b22f128cf2c2d4caa1bee02c51a3ba7103579d49d1f243664ae0e099f3fb89b5269b2f6e7188d3a9b234bddb533249eec3c54cc

\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pradio.dll

MD5 05de9983317fe259ad8c88c7880ebeb3
SHA1 919d95dafc2ff2580952b8dd14ab8471a73eb4e6
SHA256 e35c66f120064017cf47255faee3dbf959bbd9ae182db647becf7d4da0bba53a
SHA512 7b2a72955ed6637aef4df3af5cd20f9bd7afe4a3bb926d9353b1da8848628ba07fccf03056074f1208c1a04aafbd437000c817759f25e2c042f0f01f24ca8c11

\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pregfft.dll

MD5 05b1f48b706799cf55cd8b52a7462f8f
SHA1 003efc04aa08e9f1e59aee6199acf5c1863b6818
SHA256 3974ea1583ee359c187b2e052985b022656acbbaa156cd030bb02cf7c68c2627
SHA512 206ecbb1e2de89765e08a5f6f6bcd1012424129a72ec88e248bd38f182dfdf34cc85c8b3d4bdefcbf3163b7998064d2d1ee123b6e1b43b5658b13c13dfc47144

\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pregiet.dll

MD5 7396779ccb97fe1db173857422226451
SHA1 0f7bc5793f586751eb47485a03c0afc8e3d7ab3f
SHA256 5e8d884b7bc5f19ef56469e3804998832b281ba1d7b16101acf957046b3b1ef2
SHA512 0130a673a8655e2452ea5f4d52973dfce453090eca40d864e18fa33840d02038dafe07d45bb844c39438dc8bc83bad75687203ab9b3469d04bcc886faf724193

\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pscript.dll

MD5 25ac933b59ff336367bd6e28562de857
SHA1 41ce69a759faccc49bdb85b1f4f2a84e2ccd1e6e
SHA256 5750ed2046caa1ac617254f7c1e4cea3ea8f01bb7eaefcf5a668b49d716640d8
SHA512 816ae02a00148589d5be0bf9246220fbb94a5029880e918d307cf8134d74c3d1883e177ee61d2cfcdd9eb01151a86770c60d14197109ffe71f852edcf2e08f76

\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pskin.dll

MD5 c77e6a85934d428844473c9763747fe9
SHA1 31c04d3314cb73be5d623f1bb709f54816ce27a9
SHA256 d3f4cddd3f6865c97d75613e4aa0185e5b42e75f44e2c0f0480cfba7f9176a1a
SHA512 4ddb51d796dd34635e802bcce03e90eddcf62795f0f1b11a96e6099e4ad963f59fc6d0ab178640a6015ffce44d23231627f3ae9c94bef95cfb7e0a2507aaf0c8

\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pSrcAs.dll

MD5 05cb544850086b21597f3580b01e66fa
SHA1 e1363223d3524141eb87aa65bd15606fc0031845
SHA256 a33efa0b4cbabee12981cc49a96b9144b94a893100abe158b1e055677a7dc4dc
SHA512 c1b1c7898e07b8ed50255c3e277cc44f61eae53b46943d0e04e43e05be72b1865124d3395424bba85755510fd1f71bd4b11312577729cf2325beb4bb41a8be16

\Program Files (x86)\CouponAlert_2p\bar\1.bin\2ptpinst.dll

MD5 01acc19c649d35ae3e049095d77fe5bb
SHA1 edf0fc52a8cc56f8aa68f05cb5610f37c1f6546a
SHA256 bad75288a411654a815184bf6e140771ed1da28fbf2392da7c002e8785700e0d
SHA512 8400b6db578440027fe3417ede304a82aacd3025b0e7f433873e4001e3c25e6951d733ee803de13ef271336b24680de4a197258eed731c0d3bf796e4f3a73e6e

\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phighin.exe

MD5 ede9efd100fed6f723ef26eef67f5bc7
SHA1 97401b6d2967a2dfb2ba0605d84e8abd7368450e
SHA256 c4ac82da7e7eb1e5e7854571305897a8ae6a2f5704a3116ed8454188d9df3eb5
SHA512 7570b96fc89e03daaf8d52caa0aacabb3ec626619678dba75d63d5482ff0a479be002fac3c7d5523f873c84f317aea44a3008d702f4c99cd3ded490dfc80f21a

\Program Files (x86)\CouponAlert_2p\bar\1.bin\2puabtn.dll

MD5 af4987ef966a6270b5e99fafee9c9fa8
SHA1 2c3a0790e3638e61e711e3b97a6058b24ea49e57
SHA256 9113c634fcdc656a47fedd35a43fd768f6234501e1f12c63c17a599b218e6bee
SHA512 c4323519b534623e84568eb3fd1f61c1c268f22491dfc4bd689eb3af02f466c78c171afb016220d5c086ae8139bc160add0d3bb867f6dbfa4f6d41205b2fdfc9

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 22:35

Reported

2024-10-27 22:37

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2pSetup.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
N/A N/A C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pHighIn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CouponAlert_2p Browser Plugin Loader = "C:\\PROGRA~2\\COUPON~1\\bar\\1.bin\\2pbrmon.exe" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{60e91567-ef8a-4520-bce2-83aba5256799} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{60E91567-EF8A-4520-BCE2-83ABA5256799} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{60e91567-ef8a-4520-bce2-83aba5256799}\ C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3a421c8f-e238-4aeb-8874-b8b5f2cc4772} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3a421c8f-e238-4aeb-8874-b8b5f2cc4772}\ C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdlghk.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pscript.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2ptpinst.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\Settings\s_pid.dat C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pmsg.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pSrcAs.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2ptpinst.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pmedint.exe C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\NP2pStub.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbar.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbrstub.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\LOGO.BMP C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdatact.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pfeedmg.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pregfft.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pregiet.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pscript.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\INSTALL.RDF C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdlghk.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdyn.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phtml.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pPlugin.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pskin.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\Message\COMMON.T8S C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\chrome\2pffxtbr.jar C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbarsvc.exe C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pregiet.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pidle.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pmedint.exe C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pskplay.exe C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pSrcAs.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieuser.exe C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbarsvc.exe C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdyn.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phtmlmu.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pidle.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pskin.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\chrome\2pffxtbr.jar C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pauxstb.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pmlbtn.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pskplay.exe C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2puabtn.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pmlbtn.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\INSTALL.RDF C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbar.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdatact.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phighin.exe C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phtmlmu.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phttpct.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pimpipe.exe C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pradio.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pregfft.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\CHROME.MANIFEST C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\NP2pStub.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pfeedmg.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phighin.exe C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phtml.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pimpipe.exe C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\Message\COMMON.T8S C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\CHROME.MANIFEST C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbrmon.exe C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbrmon.exe C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbrstub.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pmsg.dll C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pHighIn.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56965dcf-718f-4148-becf-5a2b466f4556}\AppName = "2pimpipe.exe" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56965dcf-718f-4148-becf-5a2b466f4556}\AppPath = "C:\\Program Files (x86)\\CouponAlert_2p\\bar\\1.bin" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7225f6c9-cf64-4d6d-ae8a-169779fd7b4d}\AppName = "2pmedint.exe" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16fe2505-f2a0-4782-b035-af0e5188c02c}\AppName = "2pSkPlay.exe" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56965dcf-718f-4148-becf-5a2b466f4556}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7225f6c9-cf64-4d6d-ae8a-169779fd7b4d} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f99d2ae-5c90-43c2-a2fe-81dbe512e2fc} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f99d2ae-5c90-43c2-a2fe-81dbe512e2fc}\AppPath = "C:\\Program Files (x86)\\CouponAlert_2p\\bar\\1.bin" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2af08e71-3657-462f-898c-f7e791948f94}\AppName = "2pSrchMn.exe" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16fe2505-f2a0-4782-b035-af0e5188c02c}\AppPath = "C:\\Program Files (x86)\\CouponAlert_2p\\bar\\1.bin" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{7b9f8c21-46ec-4c0b-8683-e755ef84577a} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56965dcf-718f-4148-becf-5a2b466f4556} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7225f6c9-cf64-4d6d-ae8a-169779fd7b4d}\AppPath = "C:\\Program Files (x86)\\CouponAlert_2p\\bar\\1.bin" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7225f6c9-cf64-4d6d-ae8a-169779fd7b4d}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2af08e71-3657-462f-898c-f7e791948f94} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2af08e71-3657-462f-898c-f7e791948f94}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16fe2505-f2a0-4782-b035-af0e5188c02c}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\UrlSearchHooks C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{3462c343-be19-4143-af70-cefb56f46fc6} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f99d2ae-5c90-43c2-a2fe-81dbe512e2fc}\AppName = "2pSlSrch.exe" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f99d2ae-5c90-43c2-a2fe-81dbe512e2fc}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2af08e71-3657-462f-898c-f7e791948f94}\AppPath = "C:\\Program Files (x86)\\CouponAlert_2p\\bar\\1.bin" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16fe2505-f2a0-4782-b035-af0e5188c02c} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84576f6e-0660-4b4f-8918-bc6c975044d4}\ = "Disable Addon Rebuttal Control" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{61DAB0AD-AD23-4E40-84AC-7C6CE64D4EB3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23b38049-323f-443d-9732-f454e5b15b72}\VersionIndependentProgID\ = "CouponAlert_2p.SettingsPlugin" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EFB4F034-3EB5-48D5-84DD-89BBCF9A182F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f0a2185-da7e-4614-91c0-dd5f4a76cb1b}\TypeLib\ = "{79583de9-d0c2-44ef-ae0d-cbfa16c2a785}" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1948934a-1c68-4b2b-9a1f-d12e2a062a1a}\ProgID\ = "CouponAlert_2p.ToolbarPlugin.1" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f0a2185-da7e-4614-91c0-dd5f4a76cb1b} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A786F51D-B3C7-4F52-91EF-E1A892C2A2AE}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IMsiDe1egate.Application.1\CLSID\ = "{0002DF01-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0bdf6c42-132c-45f5-92de-dc13f40c6dab}\MiscStatus\1 C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{457a4cb8-0391-409d-98b4-c4ccb2849670}\TypeLib C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3276E8A8-A233-449B-A7EB-FCEE21246018}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\CouponAlert_2p\\bar\\1.bin\\" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{36A7148B-639E-423C-90BB-30B6E1A40BD7}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F701D7D-C869-41F0-B0E2-8136F02B539C}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8867ac9b-4426-44a2-a693-c95850d3405c}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8867ac9b-4426-44a2-a693-c95850d3405c}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EBAF2B4F-510A-47C7-86BA-E7D94D1162F6}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DAFC4DAE-7794-4E16-9A98-F6001303DCD0}\ = "ITemplatePopupMenu" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c2df3856-676c-41dc-a73b-facbdf8e81e9}\TypeLib C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A0636D37-97D0-4DC4-95A6-93AABA07437F} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{def07acd-bcea-4269-933a-4087d20842bb}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8542E415-0E53-4261-8BE4-0D1598229D90}\1.0\0 C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8867ac9b-4426-44a2-a693-c95850d3405c}\Programmable C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0F1794F2-900B-4C81-8146-9234E5CC5BE2}\ = "ITemplateBarMenu" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0F1794F2-900B-4C81-8146-9234E5CC5BE2}\TypeLib\ = "{D7CE22AF-CCB3-423F-84D5-4D77152181F3}" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D8E17B-312E-4E12-913B-A841A8631143}\TypeLib C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21D9997E-5D2A-4737-BCBA-C958C0590295}\TypeLib C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7CE22AF-CCB3-423F-84D5-4D77152181F3}\1.0 C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58E64AEE-516A-4DFC-AC38-31C50E8AF0F1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{860AF5D1-0735-409D-8E5F-E3E99356D7E9}\ = "ISessionData" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{79583DE9-D0C2-44EF-AE0D-CBFA16C2A785}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.SettingsPlugin\CurVer C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{411b1946-3277-4a7f-9f60-745266360613}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{041278C7-DF92-486D-AE85-921BDFC75A43}\TypeLib C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.ToolbarPlugin\CurVer\ = "CouponAlert_2p.ToolbarPlugin.1" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21D9997E-5D2A-4737-BCBA-C958C0590295}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.MultipleButton.1 C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{411b1946-3277-4a7f-9f60-745266360613}\InprocServer32\ = "C:\\Program Files (x86)\\CouponAlert_2p\\bar\\1.bin\\2pdatact.dll" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c2df3856-676c-41dc-a73b-facbdf8e81e9}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23b0ae65-17d2-4491-98e5-b1aa6228dda2} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8997561D-CF0B-42C7-AAE6-78801B3ADC7F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FF2EBC1C-6579-41DB-91DD-945A1C8DB2D2}\TypeLib C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EFB0C189-5077-4340-9838-AF7B8E792A54}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A0636D37-97D0-4DC4-95A6-93AABA07437F}\ = "IRadioSettings" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1948934a-1c68-4b2b-9a1f-d12e2a062a1a}\ProgID C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6CA3D0AB-F807-462C-BA7F-E27F07F91E32}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23b0ae65-17d2-4491-98e5-b1aa6228dda2}\ C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8997561D-CF0B-42C7-AAE6-78801B3ADC7F}\TypeLib\ = "{D7CE22AF-CCB3-423F-84D5-4D77152181F3}" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0F1794F2-900B-4C81-8146-9234E5CC5BE2}\ = "ITemplateBarMenu" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9D45087-1CF1-452E-9649-FDFDAC578E03}\ = "IDataCtrl" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.DynamicBarButton.1\CLSID C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EBAF2B4F-510A-47C7-86BA-E7D94D1162F6}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\CouponAlert_2p\\bar\\1.bin\\" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8AF87C1-0B1E-494B-AAF0-CECC3FFEDF99}\TypeLib C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BDA50D2-5597-4C68-A842-9B857FCCDA49}\TypeLib C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4d8eacbc-e293-4462-b91e-42ea5b54b743}\VersionIndependentProgID\ = "CouponAlert_2p.Radio" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{16fe2505-f2a0-4782-b035-af0e5188c02c}\MiscStatus\1\ = "131473" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60e91567-ef8a-4520-bce2-83aba5256799} C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.MultipleButton C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7717f4b3-397f-4ce5-9192-6effde3ac999}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1948934a-1c68-4b2b-9a1f-d12e2a062a1a}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.HTMLMenu.1\ = "CouponAlert_2p HTML Menu" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.HTMLMenu\CLSID\ = "{95B3F577-D54A-4831-B2B4-8AACEEDA85CF}" C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53CA18E7-5223-4358-9FD9-97C62C66C5BD}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\2pSetup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4512 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe
PID 4512 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe
PID 4512 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe
PID 4512 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe
PID 4512 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe
PID 4512 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe
PID 4512 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe
PID 4512 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe
PID 4512 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe
PID 4512 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pHighIn.exe
PID 4512 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pHighIn.exe
PID 4512 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2pSetup.exe C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pHighIn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2pSetup.exe

"C:\Users\Admin\AppData\Local\Temp\2pSetup.exe"

C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe

"C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe" -remove

C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe

"C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe" -install

C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe

C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe

C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe

"C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe"

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pHighIn.exe

"C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pHighIn.exe" 2ptpinst.dll,#5

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\NP2pStub.dll

MD5 a787e3fbc688c71cf530f951e1629da6
SHA1 dcf03b6bc8b5780f9fafc1f5e008a50e4a1f30db
SHA256 e63fd19af8bdd92476a365dc9b7a0f312c14a2f9595d6788c3700350b36084c7
SHA512 94280e21a65805164be83a234a9918bca190f6ebcb0803203b5611a79b53a3f5f3b05cbb06ad944175e61b9175e1de023c1cef9c11d0f846e69148c2fbb3b983

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pauxstb.dll

MD5 bef8418e2bb907705989694fa04a4f3a
SHA1 f1acca6a112aab18be7c4a38e3ebb042960d57c0
SHA256 f8dc25c92591c9a921fd367739180b0ddf602f4075d73cd669981bcb1a55cd0a
SHA512 c549c655f29abb91e65a3e445a0a28c65e78c82e6aa7c1fc99de2e5e3d3a2a4bc342e64e5f7c80b33a12b47131b74a537847e2446c632960825cf4fdd7e3e96f

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbar.dll

MD5 5afbf0822a1353e409b84f406ab6c275
SHA1 b57a215306698751f73a4fec91330aa2739594ea
SHA256 63020f4bb854913dcddeb0b0bd9469751a4861273391127ce041671ffe776dc5
SHA512 bbee841572d868e51a0bb0685da0630a5708c3f444bfb352bd8093c747fa42d1367d99c57c8eed002e2b1db216c1396da1fe3f48eda78390ec6cf11117938ea7

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbarsvc.exe

MD5 c0bebcb3dfc2edb4c296f1802766e1ff
SHA1 42191afd20e6359b4c5678acb96ecb03091d17e5
SHA256 39189db0555c346d801a918f2f4e1c1a11a279123f9c23a984e1de2d7d70c888
SHA512 4ed63a2a792909df0ed07d5c2db2fbd6c14515d3e00c0618b710f4571fb42b91eada8af0d5d260b98f3035f72260fdc59e747470a51bfe75c5bb3b6b4183dddc

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbrstub.dll

MD5 209d8fffc7ba17b5edf69a558b220f5e
SHA1 3e8e000fff561708b23495ae87bdd4bffb1f9e43
SHA256 56951b5eb91204eda94ae882da53a97a23b9e0accdff44b359a2dae210d10eef
SHA512 9df7533a9daba33c808b3fb40b63741f54619d5f933a40890fae124aecc1439cf3799253512cba50a897c57e1fd15f587449caa8101bf23756e435dd2712f617

C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe

MD5 ba4695385687403aa1820346c88dfa8a
SHA1 e7d0f5a1b1d842341a4f0e863f9280a02d7471d6
SHA256 2b2a045e70225cd04c7596d61e0950f103dc3745483b3b54032e85ea33db3b97
SHA512 942f6a9d5a41036e15d71b7b93a4f0438447c4ebe053e22a4926e5fc13dc912de44df2a203ea0f28a858d7337d7a4bfa4b26127fe5d401d0db76ba0479a87536

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdatact.dll

MD5 79f32577d7ce7035054e987310187440
SHA1 58416d1488eed6f47ad78a7d0c62b854fe09b895
SHA256 3140555e504168d849baa4d7cdf0f8f7fea2a7806d02dcde39afa8f56c72d6e3
SHA512 d3e00f991fe41b365f3ed39f40babbb8ec8e4932b2e91395f7f5830a31b9cf6d2e1c28ac5c0816f63e874edf389974152de7676333aaec95543c37aea5afa5b5

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdlghk.dll

MD5 7e8b85dd3007138116d279c014ab070a
SHA1 d6d69499bf74bb3f49b082cfef30ebc28e19454e
SHA256 04f1d61353078eec7174b0dc53ad6307615f5841523be566e935d428c70c3bad
SHA512 342162246f576e85b52c82324f6c520174f21823b8bcdcf52926c56dee313ea7c028f9934f916e6d42d3368a5371ae4e8fb4c9578b02ea32963a4304d2927769

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdyn.dll

MD5 d10a7cc5638f78f173901891caa0ea5f
SHA1 1d965ff58ad75e94bd00d9a1781a7f7610c1123f
SHA256 92243e4c5b7f4df7491917b78bb09a02f986a7e8e79448e48a8f26eb895396a6
SHA512 12886949d010e89adcfc0d75e2f81bbcc2a8be770be96f1e27ee380c79d1e93d02eed738431c18baa9a9020e732545e5390d02d41237b52c565141585ffa874f

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pfeedmg.dll

MD5 8d5dfbad16f8a6c928fcbb84c6cda655
SHA1 46d0ac5e455e6b40951b04867aaf21f793e38783
SHA256 bdf16d30334874de3710dc2b37a493a1845d396d96f9c80d67d2c589866f4b71
SHA512 4737730d149fac4e7569ba8ed804cdd1d8c2b347011746901ddaa922331ecf95c80854029490b802099ba8e0aabba5269dad89a0cd481500b425c9c9a751ea74

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phtml.dll

MD5 dbb37c245084bfa6d149d6490a3def6c
SHA1 46469fd95dcbe9018dd5c20457c6b80f882b06f0
SHA256 b14bee662471d747f7c94a62d45c6426934faeb5a597b2ea092bd621253f45b3
SHA512 904f04fbbcdd50b3e30620c4e4be477a21c0c3639e54651a929daa4e4700f486112edfeba5496213b6c14732a45205581a93bdabbe9ede27c84e6ed31b1d7339

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phtmlmu.dll

MD5 078142e03762f182c420dcec5bf57522
SHA1 f715f1c82fa9311405cb7d50bb506dd4a08bcfa3
SHA256 9e196cc00408096c7bf61a3bb7615182432b15e9476f86e8e556c7dbeec3597f
SHA512 23a3ad0ab94e064f45f317352beaa615040d74f1fd3a20ef29d8d1e53a2b0cfcec5f359de688185f3695682dc22ef51ba04001d175d016504335acb4e1e889a2

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phttpct.dll

MD5 64451f703e38ce8ce558916d1b3b298c
SHA1 88278506406f9125daff32f8e8459574fe8f38df
SHA256 9c9c071529d43298873a129c695508edc52a83e528ac0266fc58707faf2e58df
SHA512 559e61be7b7a7d3000e523f6b208805e6908bbfd7fd123b4b869f5ee95337d76fb36e5807a1dcbee3a5379ae9a2f5dbce52be7efbf31c241051c9d9c13af05ca

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pidle.dll

MD5 3470b060c813074d7ba1e06c019ec03c
SHA1 c388e332081ca424274b92f53429e1ddee8e5775
SHA256 584b0adfb7daf42504cc7a443f031f1463fbe19b63de8334fc8f18acdf3b1865
SHA512 806a2ea5d5b703d4cac8973312da485497c14431b9c1b1a1a9e15f6423215961f1a2d54a429a4aca6f67435f2a3348dea426b86293b46c62af10b7953639bf38

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pmlbtn.dll

MD5 f807dad358658e35e6f0fea173a6b4cf
SHA1 0fb2d953de4f1cbc548b6e5525580663c1896295
SHA256 b61bc01059e4e9d8dad5a971a071fec40e7b21ee13155de14604da02f997f1bb
SHA512 f2002553b415e92874254d07ba44a20104df027443c93b6df7f8240c18d9218b648b4a02c0545ffd2d92ae8b487b59af21bfac5dda5d3e68b2bbb6f06f7ee2a8

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pmsg.dll

MD5 196c4d88c7c780fc2dc83393512883de
SHA1 6343f5711789bfb866e18a172828eb7d45606a62
SHA256 ee57dff1e8d60a585c5ee37a52f5c825b75740359fddb5006bb913bb156cadfd
SHA512 be685fa9d87c0b7521176fd6bffa37206d068f4efceafc5996bb5ff2f44d49e451a1ba02a28f30c5a6a0cd79c3ccd22da06e3ab7752dcb2f75ab979f56347e89

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pPlugin.dll

MD5 c1b14848de571fc85c73c79c80bc1d1a
SHA1 b133d05665047306caa7765db6da69660acaa50d
SHA256 b78b1161f3537108d573df6d695225e27b460e9afdedcdae714ecb99b25d7cdb
SHA512 e52478f47841b393d7f917349b22f128cf2c2d4caa1bee02c51a3ba7103579d49d1f243664ae0e099f3fb89b5269b2f6e7188d3a9b234bddb533249eec3c54cc

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pradio.dll

MD5 05de9983317fe259ad8c88c7880ebeb3
SHA1 919d95dafc2ff2580952b8dd14ab8471a73eb4e6
SHA256 e35c66f120064017cf47255faee3dbf959bbd9ae182db647becf7d4da0bba53a
SHA512 7b2a72955ed6637aef4df3af5cd20f9bd7afe4a3bb926d9353b1da8848628ba07fccf03056074f1208c1a04aafbd437000c817759f25e2c042f0f01f24ca8c11

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pregfft.dll

MD5 05b1f48b706799cf55cd8b52a7462f8f
SHA1 003efc04aa08e9f1e59aee6199acf5c1863b6818
SHA256 3974ea1583ee359c187b2e052985b022656acbbaa156cd030bb02cf7c68c2627
SHA512 206ecbb1e2de89765e08a5f6f6bcd1012424129a72ec88e248bd38f182dfdf34cc85c8b3d4bdefcbf3163b7998064d2d1ee123b6e1b43b5658b13c13dfc47144

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pregiet.dll

MD5 7396779ccb97fe1db173857422226451
SHA1 0f7bc5793f586751eb47485a03c0afc8e3d7ab3f
SHA256 5e8d884b7bc5f19ef56469e3804998832b281ba1d7b16101acf957046b3b1ef2
SHA512 0130a673a8655e2452ea5f4d52973dfce453090eca40d864e18fa33840d02038dafe07d45bb844c39438dc8bc83bad75687203ab9b3469d04bcc886faf724193

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pscript.dll

MD5 25ac933b59ff336367bd6e28562de857
SHA1 41ce69a759faccc49bdb85b1f4f2a84e2ccd1e6e
SHA256 5750ed2046caa1ac617254f7c1e4cea3ea8f01bb7eaefcf5a668b49d716640d8
SHA512 816ae02a00148589d5be0bf9246220fbb94a5029880e918d307cf8134d74c3d1883e177ee61d2cfcdd9eb01151a86770c60d14197109ffe71f852edcf2e08f76

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pskin.dll

MD5 c77e6a85934d428844473c9763747fe9
SHA1 31c04d3314cb73be5d623f1bb709f54816ce27a9
SHA256 d3f4cddd3f6865c97d75613e4aa0185e5b42e75f44e2c0f0480cfba7f9176a1a
SHA512 4ddb51d796dd34635e802bcce03e90eddcf62795f0f1b11a96e6099e4ad963f59fc6d0ab178640a6015ffce44d23231627f3ae9c94bef95cfb7e0a2507aaf0c8

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pSrcAs.dll

MD5 05cb544850086b21597f3580b01e66fa
SHA1 e1363223d3524141eb87aa65bd15606fc0031845
SHA256 a33efa0b4cbabee12981cc49a96b9144b94a893100abe158b1e055677a7dc4dc
SHA512 c1b1c7898e07b8ed50255c3e277cc44f61eae53b46943d0e04e43e05be72b1865124d3395424bba85755510fd1f71bd4b11312577729cf2325beb4bb41a8be16

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2ptpinst.dll

MD5 01acc19c649d35ae3e049095d77fe5bb
SHA1 edf0fc52a8cc56f8aa68f05cb5610f37c1f6546a
SHA256 bad75288a411654a815184bf6e140771ed1da28fbf2392da7c002e8785700e0d
SHA512 8400b6db578440027fe3417ede304a82aacd3025b0e7f433873e4001e3c25e6951d733ee803de13ef271336b24680de4a197258eed731c0d3bf796e4f3a73e6e

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phighin.exe

MD5 ede9efd100fed6f723ef26eef67f5bc7
SHA1 97401b6d2967a2dfb2ba0605d84e8abd7368450e
SHA256 c4ac82da7e7eb1e5e7854571305897a8ae6a2f5704a3116ed8454188d9df3eb5
SHA512 7570b96fc89e03daaf8d52caa0aacabb3ec626619678dba75d63d5482ff0a479be002fac3c7d5523f873c84f317aea44a3008d702f4c99cd3ded490dfc80f21a

C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2puabtn.dll

MD5 af4987ef966a6270b5e99fafee9c9fa8
SHA1 2c3a0790e3638e61e711e3b97a6058b24ea49e57
SHA256 9113c634fcdc656a47fedd35a43fd768f6234501e1f12c63c17a599b218e6bee
SHA512 c4323519b534623e84568eb3fd1f61c1c268f22491dfc4bd689eb3af02f466c78c171afb016220d5c086ae8139bc160add0d3bb867f6dbfa4f6d41205b2fdfc9