Reason Labs

{0c558677-02bf-4c5b-8045-8ab46c3ad497}.dll

Pass and Play

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The module {0c558677-02bf-4c5b-8045-8ab46c3ad497}.dll by Pass and Play has been detected as Adware.Yontoo. It is also typically executed from the user's temporary directory.
Publisher:
Pass and Play  (signed and verified)

Version:
1.0.5710.19206

MD5:
0c0481b914271e7454288627d70cbb1e

SHA-1:
a4d7dcf892c14288550514cd94217464573ee6d9

SHA-256:
863416d71ee34837b18490c0b1792c67d67eb482335a55cc3cec99d40555706e

Detection:
Adware.Yontoo

Risk:
Medium

Explanation:
Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser.

Analysis date:
10/19/2018 3:15:46 AM UTC  (today)

File size:
532.7 KB (545,504 bytes)

Product version:
1.0.5710.19206

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{0c558677-02bf-4c5b-8045-8ab46c3ad497}.dll

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
7/9/2015 3:00:00 AM

Valid to:
7/9/2016 2:59:59 AM

Subject:
CN=Pass and Play, O=Pass and Play, L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
7D61D56D95A57700E33F4323BC658FD9

File PE Metadata
Compilation timestamp:
8/20/2015 8:40:18 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x1C1FE

Entry point:
55, 8B, EC, 83, 7D, 0C, 01, 75, 05, E8, 90, 8D, 00, 00, FF, 75, 10, FF, 75, 0C, FF, 75, 08, E8, 07, 00, 00, 00, 83, C4, 0C, 5D, C2, 0C, 00, 6A, 0C, 68, 10, 5D, 05, 10, E8, E3, 2E, 00, 00, 33, C0, 40, 8B, 75, 0C, 85, F6, 75, 0C, 39, 35, CC, FF, 07, 10, 0F, 84, E4, 00, 00, 00, 83, 65, FC, 00, 83, FE, 01, 74, 05, 83, FE, 02, 75, 35, 8B, 0D, BC, 65, 04, 10, 85, C9, 74, 0C, FF, 75, 10, 56, FF, 75, 08, FF, D1, 89, 45, E4, 85, C0, 0F, 84, B1, 00, 00, 00, FF, 75, 10, 56, FF, 75, 08, E8, 11, FE, FF, FF, 89, 45, E4...
 
[+]

Entropy:
5.4802

Developed / compiled with:
Microsoft Visual C++

Characteristics:
0x8450

Code size:
272.5 KB (279,040 bytes)

There are numerous known code variantions that share the same compilation structure.

Adware.Yontoo
{65844207-3190-4cda-ac33-b6a374f40ccd}.dll  1.0.5743.17520  (c96f605fe1c06880b133586ed5330d925a091253)

Adware.Yontoo
{76c0e2f4-8494-46ad-9d36-b7f582192cde}.dll  1.0.5742.15697  (0777d33a8489121c2868e3a75801bd714e0b031a)

Adware.Yontoo
{005a3c88-84e6-4db8-bac9-86f21b33169d}.dll  1.0.5739.19332  (350a04bcc8251586a9883e16219c859971bf84c8)

Adware.Yontoo
{9a09ed6e-8846-43bc-908d-af38e33f51b9}.dll  1.0.5739.19332  (05f5e27010acea36d362d923c13b4e24706ea147)

Adware.Yontoo
{6ac07d3a-c591-4eef-8d21-afd05b8bb19e}.dll  1.0.5727.15695  (a2d7c8daf6e1d951eed3755806c564e222521b04)

Adware.Yontoo
{64d16ad5-0905-4172-af55-4827dedd6c51}.dll  1.0.5722.6721  (c959e18fd7bdd32c4ecc931cf128894c6dcb4cb1)

Adware.Yontoo
{9bf6be4b-9f79-477c-bb1b-1ede6aee7ad5}.dll  1.0.5717.4874  (0c2040088a29485ba146dcea6efd03f158dc34e9)

Adware.Yontoo
{69d6c7c9-4815-4817-9b30-e8b22f432fcd}.dll  1.0.5716.21058  (ae873ff561afc0747db86b1cf6cdd7a1c4f7faa6)

Adware.Yontoo
{a6e4365d-0f34-44b8-91b1-0ef69ec04798}.dll  1.0.5713.6652  (b48dd5a8b1c09c55e34c5806aec5bd1681f93876)

Adware.Yontoo
{f97804ca-95a2-44d7-82d4-81b3f4f30092}.dll  1.0.5712.40852  (d96f66a5ef4af4bb55d4fc65db1a6c3804691b88)

Adware.Yontoo
{a22affcd-bf70-43cd-890d-875b8bb23feb}.dll  1.0.5708.24631  (852a37dd44def014fc3d04f9a342c005a540edd2)

Adware.Yontoo
{65ae95d0-bf2f-43af-aee3-c35f9c405390}.dll  1.0.5707.13834  (f72ca8b5d80ed1bc7e2bc66e6debc6cc54074a35)

Adware.Yontoo
{91915cbd-a70f-41cc-a031-b49643cca694}.dll  1.0.5705.28232  (e4d48c2df62e97a49283dbc276c32d14dd520ba1)

Adware.Yontoo
{702757a5-a11a-4563-9efe-49ac3d951655}.dll  1.0.5705.19230  (630bb1ea5e32f6bf56d8da4f832739173aa97d3c)

Adware.Yontoo
{59f0c515-a722-4cbc-bcc0-f86a908d215b}.dll  1.0.5705.10231  (3191455e61087cd884592ca0476c9508a8759b5d)

Adware.Yontoo.PassandPlay
plugin.exe  (9784b4b87008528a547162fcbd21a472406e73d9)

Adware.Yontoo
plugin.dll  (d06ff4ddf2499849113bf1dcef3dd77296b0f58f)

PUP.Browser.Extension
{f43bf3b7-b7f6-4bf5-8acc-8d09759a37a7}.xpi  (c584a4cff40298de0cd58a28d2b8d6943cae4a6f)

Adware.Yontoo
plugincontainer.exe  (d52cd01d4647908063447f0395c5f076177220af)

Adware.Yontoo
38.0.5.dll  (4dfc6d97027c5ac2803fc2ba9d49b4fbd883df1f)

Adware.Yontoo
39.0.0.dll  (085e4c150b7823bf7ddf61e422c5aa8e960884dd)

Adware.Yontoo
updater.exe  (cdceb9c8a678028875a285fd8581f2ff5fbe964c)

Adware.Yontoo.PassandPlay
plugincontainer.bak  (e1bc9f6cec0388ef6bdc9c116c163f586c0f2016)

Download Reason Core Security - Powerful anti-malware software