2048 Puzzle Game

By GoldSparrow in Potentially Unwanted Programs
Translate To:

Threat Scorecard

Popularity Rank: 5,518
Threat Level: 80 % (High)
Infected Computers: 106
First Seen: April 21, 2021
Last Seen: April 16, 2026
OS(es) Affected: Windows

The 2048 Puzzle Game browser extension is not to be associated with the legitimate portal h[tt]p://2048game[.]com/ that offers users to play a sudoku-like game for free. The 2048 Puzzle Game browser extension is published by h[tt]p://2048-game[.]review that takes advantage of the popularity accumulated by h[tt]p://2048game[.]com/ in October 2017. The 2048 Puzzle Game extension from h[tt]p://2048-game[.]review appears to be installed by 86 607 users (at the time of research), but has only two reviews that gave it a five-star rating on:

h[tt]ps://chrome.google[.]com/webstore/detail/2048-puzzle-game/bjjkmbkbhggaclclhhkahddjkfpbabcm

The 2048 Puzzle Game extension from h[tt]p://2048-game[.]review is considered a Potentially Unwanted Program (PUP) that may lead users to believe they are enjoying content from h[tt]p://2048game[.]com/. Computer security analysts note that the 2048 Puzzle Game extension is an ad-supported program designed to change your default search provider to h[tt]p://2048-game[.]review/?type=comoima&q=[KEYWORD] and load promotional offers on all pages you browse on the Internet. You can find out more about its marketing functionality by reading the Terms of Use, EULA and Privacy Agreement published on 2048-game.review/ext/2048/terms.html, 2048-game.review/ext/2048/eula.html, and 2048-game.review/ext/2048/privacy.html. When you have the 2048 Puzzle Game extension running in the background, your search requests via the Omnibox and search bar are redirected via h[tt]p://2048-game[.]review/?type=comoima&q=[KEYWORD] to:

h[tt]ps://search.yahoo[.]com/yhs/search?hspart=skylikes&hsimp=yhs-newtab&p=[KEYWORD]&type=comoima

The page listed above offers access to a customized Yahoo search engine that loads promotional content from a set list of affiliates. That way, the operators of h[tt]p://2048-game[.]review can redirect users to a paid content and claim affiliate revenue from Yahoo. The advertisements generated by 2048 Puzzle Game may not be verified and include links to phishing pages. Users who install the 2048 Puzzle Game extension agree that they can't seek responsibility for damages that resulted from following links displayed by the 2048 Puzzle Game extension. Therefore, you may consider the 2048 Puzzle Game app for removal.

Analysis Report

General information

Family Name: Trojan.Downloader.Agent.NA
Signature status: Self Signed

Known Samples

MD5: 9f3504ab95f1aed7dc3a8bfa970ecd4e
SHA1: 5cc473c3aa002b23d35298deef9f32ce04ec5276
SHA256: BF391A850A4C5E56570D2033CEF6CF81D713DC072E6371F159243306E75D1C12
File Size: 2.72 MB, 2716832 bytes
MD5: c57cbde6a0f0771fae3c2370d261b866
SHA1: 904ee0c270ad81ec40990b31d13eb5ee954f96da
SHA256: 1A8AD57027AB4E103919D6575D79A7F9E03E30E153C368E32936C5F4DBE97CF8
File Size: 1.21 MB, 1205624 bytes
MD5: 35a50cf3b454390d5a08754f621c0a65
SHA1: 2064f1ed7e83be3410325a64f34b22a614661a30
SHA256: CE2DB8910AD76A43A38D35A60C73FEB92DBDE77DAB4D7C13E5B8B88C071989AD
File Size: 1.26 MB, 1263512 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File has exports table
  • File has TLS information
  • File is 64-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name
  • Better Cloud Solutions
  • Lavasoft Inc.
Company Short Name
  • Better Cloud Solutions
  • BetterCloudSolutions
  • Lavasoft
File Description
  • Lavasoft quicklaunch browser
  • WebNavigatorBrowser
  • WebNavigatorBrowser Installer
File Version
  • 85.0.4183.121
  • 2.3.0.14
  • 2.1.2.1
Internal Name
  • chrome_pwa_launcher
  • setup
  • webnavigatorbrowser_pwa_launcher
Last Change
  • 0
  • 0f89ef11042a546cf684de326b6b33ea23869b1b
  • 204fb33ef566736440f8445032aef3e4b85a9bf2
Legal Copyright
  • Copyright 2020 Better Cloud Solutions. All rights reserved.
  • Copyright 2020 Lavasoft. All rights reserved.
Official Build 1
Original Filename
  • chrome_pwa_launcher.exe
  • setup.exe
  • webnavigatorbrowser_pwa_launcher.exe
Product Name
  • Lavasoft quicklaunch browser
  • WebNavigatorBrowser
  • WebNavigatorBrowser Installer
Product Short Name
  • quicklaunch browser
  • WebNavigatorBrowser
  • WebNavigatorBrowser Installer
Product Version
  • 85.0.4183.121
  • 2.3.0.14
  • 2.1.2.1

Digital Signatures

Signer Root Status
Better Cloud Solutions LTD COMODO RSA Extended Validation Code Signing CA Self Signed
Lavasoft Software Canada Inc. Entrust Root Certification Authority - G2 Root Not Trusted

File Traits

  • HighEntropy
  • Installer Version
  • WriteProcessMemory
  • x64

Block Information

Total Blocks: 2,286
Potentially Malicious Blocks: 390
Whitelisted Blocks: 1,891
Unknown Blocks: 5

Visual Map

? 0 ? 0 0 0 0 0 0 0 x 0 x 0 0 0 0 x 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 x 0 0 0 0 x 0 0 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 x x x x 0 0 0 x 0 0 0 0 x 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x x x x x x x 0 0 0 x 0 x x x x x x x x x x 0 x x x x 0 0 0 x 0 0 x x x x x x x x x 0 x 0 0 0 x x 0 x x x x x 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 x x x 0 x x 0 x x 0 x x 0 x 0 x x x x x x x x x 0 x 0 x x x x x x 0 x x x 0 x x x 0 x x x x x x x x 0 x 0 0 x 0 x x 0 x x 0 0 0 0 x 0 0 x x 0 0 x x x x x x 0 0 0 0 x 0 0 0 0 0 0 x x x 0 0 x 0 0 x 0 0 x x 0 x 0 x x x x x x 0 x x 0 x x x 0 x 0 x x 0 0 x x x 0 x 0 0 0 0 0 x 0 x x x x 0 x 0 x 0 x 0 0 0 0 0 0 0 0 0 x x x x 0 0 x x x x x 0 x x x x x x x 0 x 0 x x x 0 0 0 x 0 0 0 0 x x x 0 0 0 0 x x x 0 0 x 0 0 0 x 0 0 x 0 0 0 x x 0 0 0 0 0 0 x x 0 x x 0 0 0 x x x x 0 0 x x ? ? ? x x 0 x x 0 0 0 x x x x x 0 x x x 0 x x 0 0 0 x 0 0 x x x x 0 0 0 0 x x 0 0 x x x x x x 0 x x 0 x 0 x x x x x x x x 0 x x x 0 0 x 0 x 0 x 0 0 x 0 x x x 0 0 0 0 x x x 0 x 0 0 x x 0 0 x x x x x x 0 0 0 0 x x 0 0 x 0 0 x x 0 0 0 x 0 x x 0 x x 0 x 0 x 0 0 x 0 x 0 x x x 0 0 0 0 0 x x 0 0 x 0 0 x x 0 x 0 x x x 0 x 0 0 0 0 0 x x x x 0 0 x x 0 0 x x 0 x x x 0 0 x x x x 0 x x x 0 x 0 x x 0 x 0 x x 0 0 x x 0 x 0 0 0 x x 0 0 0 x x 0 x x x 0 x x 0 0 x x x x x x x x 0 0 0 x x x 0 x x x 0 1 x x 0 0 0 0 0 0 0 0 x 0 x 0 x x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 x 0 x 0 x x 0 x x x x x 0 0 0 x x x 0 0 0 0 0 0 x 0 x 0 x x 0 x x x 0 0 x x x x 0 x x 0 x x 0 x 0 x 0 0 0 x x 0 0 0 x x x 0 0 x 0 0 0 0 x 0 0 0 0 x 0 0 x x x x x x x x 0 x 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Downloader.Agent.NA

Files Modified

File Attributes
\device\namedpipe\crashpad_5064_uuobzvprpskkvdux Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\crashpad_5064_uuobzvprpskkvdux Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
c:\users\user\appdata\local\temp\webnavigatorbrowser_installer.log Read Attributes,Synchronize,Append data
c:\users\user\appdata\local\webnavigatorbrowser\user data\crashpad\settings.dat Generic Read,Write Data,Write Attributes,Write extended,Append data

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateSection
Show More
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtLockFile
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRemoveIoCompletion
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetIoCompletion
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnlockFile
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
Anti Debug
  • IsDebuggerPresent

Shell Command Execution

c:\users\user\downloads\5cc473c3aa002b23d35298deef9f32ce04ec5276_0002716832 c:\users\user\downloads\5cc473c3aa002b23d35298deef9f32ce04ec5276_0002716832 --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Vggtqzls\AppData\Local\WebNavigatorBrowser\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=WebNavigatorBrowser --annotation=ver=2.1.2.1 --initial-client-data=0x2c0,0x2c4,0x2c8,0x2bc,0x2cc,0x7ff6697d58f0,0x7ff6697d5900,0x7ff6697d5910

Trending

Most Viewed

Loading...