Gen.Variant.Adware.Kazy.654480_3ef5888176 – Adaware

not-a-virus:HEUR:AdWare.Win32.ConvertAd.heur (Kaspersky), Gen:Variant.Adware.Kazy.654480 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 3ef588817670bcddcd1b63156787d19a

SHA1: 82d2c394d590beb7c82c36857e41c0854f0636dc

SHA256: 4d203663a5dd102f5c13a89a30c0cfcf323b02bb13ffe137340a990928ca045a

SSDeep: 24576:kIS4xYCd7AA6g/SOfGA2yhw vJpKBYYbOI Yg1ICihTthfATEHDvJ:zS4xPAWqOfv2sjRpKBYDbYg1IjlbfzB

Size: 1071027 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: Xacti, LLC

Created at: 2009-12-06 00:50:52

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

nsr8.tmp:592
Note-up.exe:380
nsz2.tmp:928
nsh30.tmp:644
nsc15.tmp:1864
regsvr32.exe:1924
%original file name%.exe:308

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process nsr8.tmp:592 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsm10.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqC.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc15.tmp (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgD.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso1A.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Uninstall.exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd16.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss13.tmp (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbB.tmp (11755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\Validate[1].exe (4152 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsm10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqC.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso1A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Validate[1].exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd16.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc15.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqC.tmp (0 bytes)

The process nsz2.tmp:928 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nswF.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2A.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm25.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\heu39T.nss (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi31.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk29.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Note-UP_Setup[1].exe (143896 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Application Data\NUIns\Uninstall.exe (1257 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn14.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2F.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1E.tmp (15 bytes)
%Program Files%\D0344D56-1445843908-DA1F-4A65-5000DA5C9464\vnsb2D.tmp (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl22.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr8.tmp (12984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss17.tmp (15 bytes)
%Documents and Settings%\%current user%\Application Data\NUIns\NUIns.exe (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm26.tmp (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh30.tmp (143896 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1F.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp\WmiInspector.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbE.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl21.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd18.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Program Files%\D0344D56-1445843908-DA1F-4A65-5000DA5C9464\Uninstall.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\check[1].exe (12984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk20.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1B.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl2B.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr7.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl2C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (210 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl9.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp (115980 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl24.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1D.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn12.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp\IpConfig.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl23.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu28.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx11.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst34.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu27.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb2E.tmp (15 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nswF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm25.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk29.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn14.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl22.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp\IpConfig.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi31.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp\WmiInspector.dll (0 bytes)
%Program Files%\D0344D56-1445843908-DA1F-4A65-5000DA5C9464\nsb2D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd18.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk20.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl21.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl2C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm26.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl24.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl23.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu28.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst34.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu27.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb2E.tmp (0 bytes)

The process nsh30.tmp:644 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp\InvokeShellVerb.dll (4 bytes)
%Program Files%\Note-up\Note-up.exe (136249 bytes)
%Program Files%\Note-up\uninstall.exe (1686 bytes)
%Documents and Settings%\%current user%\Desktop\Note-Up.lnk (1 bytes)
%Program Files%\Note-up\noteupshell0.dll (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp\FindProcDLL.dll (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp\ProcessKiller.dll (77 bytes)
%Program Files%\Note-up\Note-up.ico (2104 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp\InvokeShellVerb.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy32.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp\FindProcDLL.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp\ProcessKiller.dll (0 bytes)

The process nsc15.tmp:1864 makes changes in the file system.

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nso19.tmp (0 bytes)

The process %original file name%.exe:308 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp (34013 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsu1.tmp (0 bytes)

Registry activity

The process nsr8.tmp:592 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 43 5E 4F 03 0B 11 FA B6 38 5E F2 71 B9 D6 D0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Note-up.exe:380 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 BC F9 7E E4 5C BD 64 04 6B 61 19 15 56 FE A5"

The process nsz2.tmp:928 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NUIns]
"source" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NUIns]
"UninstallString" = "%Documents and Settings%\%current user%\Application Data\NUIns\Uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NUIns]
"DisplayName" = "Note-UP"

[HKLM\System\CurrentControlSet\Services\NlaSvc]
"pname" = "NU"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE C9 E8 36 38 37 11 54 32 A8 E3 49 62 75 94 2F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\System\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NUIns]
"stats" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NUIns]
"Publisher" = "QUAHOG LIMITED"
"DisplayIcon" = "%Documents and Settings%\%current user%\Application Data\NUIns\Uninstall.exe"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsh30.tmp:644 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd33.tmp\ProcessKiller.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Note-up]
"DisplayName" = "Note-up"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E FA 9F 4A 62 32 88 C9 A7 63 78 95 83 08 83 B6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Note-up]
"DisplayIcon" = "%Program Files%\Note-up\Note-up.ico"
"Publisher" = "Note-up"
"UninstallString" = "%Program Files%\Note-up\uninstall.exe"

[HKLM\System\CurrentControlSet\Services\NlaSvc]
"DCGUID" = "{9C8F8BB7-4DB7-4D0C-8786-677B2AC39B58}"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Note-up" = "%Program Files%\Note-up\note-up.exe /watch"

The process nsc15.tmp:1864 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 2D 29 6B 67 36 0C 76 A9 2E 92 6F 07 BC 7A C8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process regsvr32.exe:1924 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 7F 5E 9E 41 F1 C7 CB 65 5E A0 BB 68 3F AF 11"

[HKCR\*\shellex\ContextMenuHandlers\Add event reminder]
"TypeID" = "15"
"(Default)" = "{DD81E8DB-AD66-43C0-8600-F6C26C928A5A}"

[HKCR\CLSID\{DD81E8DB-AD66-43C0-8600-F6C26C928A5A}\InprocServer32]
"(Default)" = "%Program Files%\Note-up\noteupshell0.dll"

[HKCR\CLSID\{DD81E8DB-AD66-43C0-8600-F6C26C928A5A}]
"(Default)" = "Add event reminder"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{DD81E8DB-AD66-43C0-8600-F6C26C928A5A}" = "Add event reminder"

[HKCR\Directory\shellex\ContextMenuHandlers\Add event reminder]
"TypeID" = "15"

[HKCR\Directory\Background\shellex\ContextMenuHandlers\Add event reminder]
"(Default)" = "{DD81E8DB-AD66-43C0-8600-F6C26C928A5A}"

[HKCR\AllFilesystemObjects\shellex\ContextMenuHandlers\Add event reminder]
"TypeID" = "15"

[HKCR\Drive\shellex\ContextMenuHandlers\Add event reminder]
"TypeID" = "15"

[HKCR\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\shellex\ContextMenuHandlers\Add event reminder]
"TypeID" = "13"
"(Default)" = "{DD81E8DB-AD66-43C0-8600-F6C26C928A5A}"

[HKCR\Drive\shellex\ContextMenuHandlers\Add event reminder]
"(Default)" = "{DD81E8DB-AD66-43C0-8600-F6C26C928A5A}"

[HKCR\Directory\Background\shellex\ContextMenuHandlers\Add event reminder]
"TypeID" = "11"

[HKCR\CLSID\{DD81E8DB-AD66-43C0-8600-F6C26C928A5A}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\AllFilesystemObjects\shellex\ContextMenuHandlers\Add event reminder]
"(Default)" = "{DD81E8DB-AD66-43C0-8600-F6C26C928A5A}"

[HKCR\Directory\shellex\ContextMenuHandlers\Add event reminder]
"(Default)" = "{DD81E8DB-AD66-43C0-8600-F6C26C928A5A}"

The process %original file name%.exe:308 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 69 12 F3 A5 FF 1A CB CB 8C 6A F5 58 3A 8C 65"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5	File path
cf8ebc7d6a3245d64ee155819d2a628e	c:\Documents and Settings\"%CurrentUserName%"\Application Data\NUIns\NUIns.exe
f2e53eda1a543681c6bb02ba68501ad9	c:\Documents and Settings\"%CurrentUserName%"\Application Data\NUIns\Uninstall.exe
2a5f246b97d00f77b78d15f72923839b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Uninstall.exe
6e108fa5f16d2ab00886f0619f6b2d25	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd33.tmp\ProcessKiller.dll
583e342e2d7bbd98a5a4ab760654a0c8	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsh30.tmp
8501f079ef3fc63721d0164b8a34b4a9	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsr8.tmp
cf8ebc7d6a3245d64ee155819d2a628e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsz2.tmp
583e342e2d7bbd98a5a4ab760654a0c8	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Note-UP_Setup[1].exe
8501f079ef3fc63721d0164b8a34b4a9	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\check[1].exe
2a5f246b97d00f77b78d15f72923839b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\Validate[1].exe
f2e53eda1a543681c6bb02ba68501ad9	c:\Program Files\D0344D56-1445843908-DA1F-4A65-5000DA5C9464\Uninstall.exe
cf8ebc7d6a3245d64ee155819d2a628e	c:\Program Files\D0344D56-1445843908-DA1F-4A65-5000DA5C9464\vnsb2D.tmp
07cdbcd2122577053874ecc640e111c7	c:\Program Files\Note-up\Note-up.exe
2d14118831ede18cea992caedb834c58	c:\Program Files\Note-up\noteupshell0.dll
01d2285d1ec4d486b8841d029c54f96c	c:\Program Files\Note-up\uninstall.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
nsr8.tmp:592
Note-up.exe:380
nsz2.tmp:928
nsh30.tmp:644
nsc15.tmp:1864
regsvr32.exe:1924
%original file name%.exe:308
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\nsm10.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqC.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc15.tmp (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgD.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso1A.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Uninstall.exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd16.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss13.tmp (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbB.tmp (11755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswF.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2A.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm25.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\heu39T.nss (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi31.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk29.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Note-UP_Setup[1].exe (143896 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Application Data\NUIns\Uninstall.exe (1257 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn14.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2F.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1E.tmp (15 bytes)
%Program Files%\D0344D56-1445843908-DA1F-4A65-5000DA5C9464\vnsb2D.tmp (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl22.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr8.tmp (12984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss17.tmp (15 bytes)
%Documents and Settings%\%current user%\Application Data\NUIns\NUIns.exe (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm26.tmp (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh30.tmp (143896 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1F.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp\WmiInspector.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbE.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl21.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd18.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Program Files%\D0344D56-1445843908-DA1F-4A65-5000DA5C9464\Uninstall.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\check[1].exe (12984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk20.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1B.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl2B.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr7.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl2C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl9.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp (115980 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl24.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1D.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn12.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp\IpConfig.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl23.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu28.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx11.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst34.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu27.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb2E.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp\InvokeShellVerb.dll (4 bytes)
%Program Files%\Note-up\Note-up.exe (136249 bytes)
%Program Files%\Note-up\uninstall.exe (1686 bytes)
%Documents and Settings%\%current user%\Desktop\Note-Up.lnk (1 bytes)
%Program Files%\Note-up\noteupshell0.dll (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp\FindProcDLL.dll (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp\ProcessKiller.dll (77 bytes)
%Program Files%\Note-up\Note-up.ico (2104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp (34013 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Note-up" = "%Program Files%\Note-up\note-up.exe /watch"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23628	24064	4.46394	856b32eb77dfd6fb67f21d6543272da5
.rdata	28672	4764	5120	3.4982	dc77f8a1e6985a4361c55642680ddb4f
.data	36864	154712	1024	3.3278	7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata	192512	782336	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	974848	1736	2048	2.02489	cbb9fea95082627d2fea8d8f9c8189eb

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 104
b6880f11e1f4cf7bd5fd7baa5af42294
fba830ec72947de9e35db9e2b4d42c3e
986b19d069cf0ce15baa40f3c1ae2bcf
4d2abc93d839057a3a0f69ac312266ca
193c2dc649b8195fb99ba6d9a4800935
6169e1e69bff5d80da4ba8bd57230b9e
6fef3b40de926f03c2872c8b043db1ee
4c633cf8551319c40c4e937314c85b40
0e1739fb38518bdf6b6d211a420a2261
0fcf7edf2968af90beb49b929c14d3f2
f81ec225f34f5f9114475d14acc77c07
32b0dd4ada7fd6741737c4fb3b640828
4255e95b12d72a834a480818c30a185f
03564fd07ea7f021ecd60bc9aef7b8ab
249bde48b647c53379627edccc039e99
a576590e91169f1240cccccb73a149e2
7f52e2e974df39c4c27fa112aab679a4
0b528ce9c13b207b093859f757703e7d
e0919f5ec9c9e750362ca45a8ccfd343
59c7d273e5f4b4728f6499138a02a3bc
21bff53f98cb462c199f6d34d80b3d88
752bfe5611660c4dc0db2ce756fb3649
9fa145fcd5fde7ee2ada31587a19f0dc
2f545c4174ffb2ace26fa9746a282c7e
2629e88e7ff580c648328cf1f8f44256
6b80491ccab2e1de29124e779a8d4f50

Network Activity

URLs

URL	IP
hxxp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com/	54.243.78.255
hxxp://livestatscounter.com/countstats/count.php	95.211.189.17
hxxp://livestatscounter.com/SysInfo/Validate.exe	95.211.189.17
hxxp://livestatscounter.com/Generic/vos.php?ch=NU&rdsn=0&idn=0&sid=&isnw=2&civ=2&or=st&pac=NU&guidv=2&vpname=&prdk=&tst=	95.211.189.17
hxxp://livestatscounter.com/vuupc/stats.php	95.211.189.17
hxxp://d16hr9n7t75k58.cloudfront.net/Note-UP_Setup.exe	54.192.93.211
hxxp://download-servers.com/SysInfo/Validate.exe	95.211.189.6

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /SysInfo/Validate.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: download-servers.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.8.0

Date: Mon, 26 Oct 2015 07:18:19 GMT

Content-Type: application/octet-stream

Content-Length: 61981

Last-Modified: Fri, 15 May 2015 16:16:55 GMT

Connection: keep-alive

ETag: "55561bf7-f21d"

Accept-Ranges: bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@.......................... ...............................................t...........C...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc....C.......D...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /SysInfo/Validate.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: download-servers.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.8.0

Date: Mon, 26 Oct 2015 07:18:19 GMT

Content-Type: application/octet-stream

Content-Length: 61981

Last-Modified: Fri, 15 May 2015 16:16:55 GMT

Connection: keep-alive

ETag: "55561bf7-f21d"

Accept-Ranges: bytes

<<< skipped >>>

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 150

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3530\",\"guid\": \"\",\"channel_id\": \"\", \"utm_addition\":\"pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:02 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 187

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"4587\",\"guid\": \"\",\"channel_id\": \"\", \"utm_addition\":\"command_parameters=/ch= /start /p=NU&pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:02 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Mon, 26 Oct 2015 07:18:02 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 187

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"4586\",\"guid\": \"\",\"channel_id\": \"\", \"utm_addition\":\"command_parameters=/ch= /start /p=NU&pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:18 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 187

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3531\",\"guid\": \"\",\"channel_id\": \"\", \"utm_addition\":\"command_parameters=/ch= /start /p=NU&pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:18 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 187

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3532\",\"guid\": \"\",\"channel_id\": \"\", \"utm_addition\":\"command_parameters=/ch= /start /p=NU&pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:18 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Mon, 26 Oct 2015 07:18:18 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 223

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3533\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"command_parameters=/ch= /start /p=NU&pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:19 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 223

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3220\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"command_parameters=/ch= /start /p=NU&pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:19 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 249

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3412\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"dloc_stage=1&command_parameters=/ch= /start /p=NU&vostage=main&pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:19 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 249

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3413\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"dloc_stage=2&command_parameters=/ch= /start /p=NU&vostage=main&pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:19 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 249

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3414\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"dloc_stage=3&command_parameters=/ch= /start /p=NU&vostage=main&pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:19 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 244

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3216\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"value=1&command_parameters=/ch= /start /p=NU&vostage=main&pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:20 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 249

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3415\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"dloc_stage=4&command_parameters=/ch= /start /p=NU&vostage=main&pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:20 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 249

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3416\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"dloc_stage=5&command_parameters=/ch= /start /p=NU&vostage=main&pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:20 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 249

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3650\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"dloc_stage=9&command_parameters=/ch= /start /p=NU&vostage=main&pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:20 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 250

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3652\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"dloc_stage=10&command_parameters=/ch= /start /p=NU&vostage=main&pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:20 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Mon, 26 Oct 2015 07:18:20 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 262

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3654\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"dloc_stage=12&command_parameters=/ch= /start /p=NU&vostage=main&reason=vmwa&pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:21 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 250

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3655\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"dloc_stage=13&command_parameters=/ch= /start /p=NU&vostage=main&pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:21 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 257

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3675\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"dloc_stage=21&command_parameters=/ch= /start /p=NU&vostage=main&dloc=1&pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:21 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 223

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"2066\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"command_parameters=/ch= /start /p=NU&pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:21 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 223

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3510\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"command_parameters=/ch= /start /p=NU&pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:21 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 186

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3534\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:22 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Mon, 26 Oct 2015 07:18:22 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 186

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3638\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:27 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 186

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3637\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:27 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 186

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3502\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:27 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 186

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3503\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:27 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 186

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3504\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:27 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 186

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3505\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:28 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Mon, 26 Oct 2015 07:18:28 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 186

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3506\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:28 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 186

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3507\",\"guid\": \"D0344D56-9B40-DA1F-4A65-5000DA5C9464\",\"channel_id\": \"\", \"utm_addition\":\"pr=vo&v=39&civ=2&pac=NU\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:28 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Mon, 26 Oct 2015 07:18:28 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}..

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 115

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1726\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:18 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 122

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1727\",\"channel_id\": \"NU\", \"utm_addition\":\"tst=&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:18 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Mon, 26 Oct 2015 07:18:18 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 170

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NU\", \"utm_addition\":\"url=hXXp://download-servers.com/SysInfo/Validate.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:19 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Mon, 26 Oct 2015 07:18:19 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 183

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NU\", \"utm_addition\":\"url=hXXp://download-servers.com/SysInfo/Validate.exe&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Mon, 26 Oct 2015 07:18:19 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}..

GET /Generic/vos.php?ch=NU&rdsn=0&idn=0&sid=&isnw=2&civ=2&or=st&pac=NU&guidv=2&vpname=&prdk=&tst= HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: livestatscounter.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Mon, 26 Oct 2015 07:18:19 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.5.21

37..hXXp://download-servers.com/SysInfo/Validate.exe.. /s..0..HTTP/1.1 200 OK..Server: nginx..Date: Mon, 26 Oct 2015 07:18:19 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Vary: Accept-Encoding..X-Powered-By: PHP/5.5.21..37..hXXp://download-servers.com/SysInfo/Validate.exe.. /s..0..

GET /countstats/count.php HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: livestatscounter.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Mon, 26 Oct 2015 07:18:07 GMT

Content-Type: application/octet-stream

Content-Length: 202653

Connection: keep-alive

X-Powered-By: PHP/5.5.21

Content-Transfer-Encoding: binary

Content-Disposition: attachment; filename=check.exe

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@...........................4..............................................s.......04..C...........................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata....1..@...........................rsrc....C...04..D...v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..

<<< skipped >>>

GET /vuupc/stats.php HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: livestatscounter.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Mon, 26 Oct 2015 07:18:27 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.5.21

e..14854413907LP6..0..HTTP/1.1 200 OK..Server: nginx..Date: Mon, 26 Oct 2015 07:18:27 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Vary: Accept-Encoding..X-Powered-By: PHP/5.5.21..e..14854413907LP6..0..

GET /Note-UP_Setup.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: d16hr9n7t75k58.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/x-msdownload

Content-Length: 2481833

Connection: keep-alive

Date: Fri, 09 Oct 2015 08:09:06 GMT

Last-Modified: Fri, 09 Oct 2015 08:01:56 GMT

ETag: "583e342e2d7bbd98a5a4ab760654a0c8"

Accept-Ranges: bytes

Server: AmazonS3

Age: 54991

X-Cache: Hit from cloudfront

Via: 1.1 1215b20e825091002cc9421604422697.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 2ovQjRoxFd4xAduE4LTaKRhGCFQImjunUAqqHeFUl8NKTOMfCf2JGA==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t..........xU...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc...xU.......V...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

Note-up.exe_380:

.text

`.rdata

@.data

.rsrc

@.reloc

uDPj0

uÂ u

f;P.sB

@.PQj9

f;A.sK

.6.78.9:;

B.CDEFFG

] ;^ }6

u%SSh

9>t.hD

tFHt:Ht.Ht"Hu`

SSSSh

j%XtL9E

tWSShW

tl9_ tgSSh

t'SShl

FTCP

u.Ph$

tAHt.HHt

SSh@B

FtPW

u$SShe

s%j.Zf

xSSSh

FTPjKS

FtPj;S

C.PjRV

large file support is disabled

unknown operation

SQL logic error or missing database

foreign_keys

foreign_key_list

foreign_key_check

defer_foreign_keys

sqlite_compileoption_get

sqlite_compileoption_used

sqlite_log

sqlite_source_id

sqlite_version

sqlite_attach

sqlite_detach

sqlite_stat4

sqlite_stat3

sqlite_stat1

sqlite_rename_parent

sqlite_rename_trigger

sqlite_rename_table

FOREIGN KEY

GetProcessHeap

RowKey

3.8.10.2

SQLite format 3

CREATE TABLE sqlite_master(

sql text

CREATE TEMP TABLE sqlite_temp_master(

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYWITHOUTERELEASEATTACHAVINGROUPDATEBEGINNERECURSIVEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTRIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

922337203685477580

SQLITE_

%s(%d)

sqlite_master

sqlite_temp_master

?API call with %s database connection pointer

os_win.c:%d: (%lu) %s(%s) - %s

delayed %dms for lock/sharing conflict at line %d

%s%c%s

cannot limit WAL size: %s

2nd reference to page %d

invalid page number %d

unable to use function %s in the requested context

zeroblob(%d)

%s prohibited in partial index WHERE clauses

%s prohibited in CHECK constraints

%r %s BY term out of range - should be between 1 and %d

Expression tree is too large (maximum depth %d)

too many SQL variables

variable number must be between ?1 and ?%d

too many columns in %s

hex literal too big: %s

%.*s"%w"%s

%s%.*s"%w"

%s OR name=%Q

type='trigger' AND (%s)

table %s may not be altered

sqlite_

SELECT tbl,idx,stat FROM %Q.sqlite_stat1

%s cannot use variables

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

%s: %s

%s: %s.%s

object name reserved for internal use: %s

duplicate column name: %s

too many columns on %s

default value of column [%s] is not constant

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

DELETE FROM %Q.%s WHERE %s=%Q

sqlite_stat%d

unknown column "%s" in foreign key definition

number of columns in foreign key does not match the number of columns in the referenced table

foreign key on %s should reference only one column of table %T

a JOIN clause is required before %s

%s.rowid

%s.%s

duplicate WITH table name: %s

no such collation sequence: %s

cannot modify %s because it is a view

table %s may not be modified

foreign key mismatch - "%w" referencing "%w"

FOREIGN KEY constraint failed

error during initialization: %s

no entry point [%s] in shared library [%s]

sqlite3_

unable to open shared library [%s]

sqlite3_extension_init

automatic extension loading failed: %s

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

cannot join using column %s - column not present in both tables

cannot have both ON and USING clauses in the same join

a NATURAL join may not have an ON or USING clause

USE TEMP B-TREE FOR %s

COMPOUND SUBQUERIES %d AND %d %s(%s)

column%d

%s:%d

SELECTs to the left and right of %s do not have the same number of result columns

no such index: %s

recursive reference in a subquery: %s

multiple recursive references: %s

table %s has %d values for %d columns

circular reference: %s

multiple references to recursive table: %s

SCAN TABLE %s%s%s

sqlite3_get_table() called with two or more incompatible queries

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

vtable constructor did not declare schema: %s

vtable constructor failed: %s

vtable constructor called recursively: %s

no such module: %s

table %s: xBestIndex returned an invalid plan

ANY(%s)

VIRTUAL TABLE INDEX %d:%s

USING INTEGER PRIMARY KEY

INDEX %s

COVERING INDEX %s

PRIMARY KEY

AS %s

TABLE %s

SUBQUERY %d

%s.xBestIndex() malfunction

database corruption at line %d of [%.10s]

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

d-d-d d:d:d

d:d:d

d-d-d

M@failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

recovered %d frames from WAL file %s

bind on a busy prepared statement: [%s]

%s: %s.%s.%s

misuse of aliased aggregate %s

not authorized to use function: %s

too many terms in %s BY clause

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

Cannot add a PRIMARY KEY column

CREATE TABLE %Q.%s(%s)

%s - %s

malformed database schema (%s)

%s-shm

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

Failed to read ptrmap key=%d

failed to get page %d

%d of %d pages missing from overflow list starting at %d

freelist leaf count too big on page %d

%s %T cannot reference objects in database %s

view %s is circularly defined

LIMIT clause should come after %s not before

ORDER BY clause should come after %s not before

no such table: %s

%s.%s.%s

too many references to "%s": max 65535

sqlite_sq_%p

automatic index on %s(%s)

no such vfs: %s

%s mode not allowed: %s

no such %s mode: %s

recovered %d pages from %s

unknown database: %s

Fragmentation of %d bytes reported as %d on page %d

Multiple uses for byte %u of page %d

Corruption detected in cell %d on page %d

On page %d at right child:

On tree page %d cell %d:

unable to get the page. error code=%d

btreeInitPage() returns error code %d

Page %d:

Outstanding page count goes from %d to %d during this analysis

Pointer map page %d is referenced

Page %d is never used

unable to identify the object to be reindexed

cannot create INSTEAD OF trigger on table: %S

cannot create %s trigger on view: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

at most %d tables in a join

unknown database %s

there is already another table or index with this name: %s

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

sqlite_sequence

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

view %s may not be altered

sqlite_altertab_%s

there is already an index named %s

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %Q.sqlite_sequence WHERE name=%Q

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

CREATE%s INDEX %.*s

table %s has no column named %s

sqlite_autoindex_%s_%d

index %s already exists

there is already a table named %s

virtual tables may not be indexed

views may not be indexed

table %s may not be indexed

cannot create a TEMP index on non-TEMP table "%s"

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

no such index: %S

no such trigger: %S

MJ delete: %s

-mjX9X

MJ collide: %s

%s-mjXXXXXX9XXz

EXECUTE %s%s SUBQUERY %d

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

table "%s" has more than one primary key

CREATE TABLE %Q.sqlite_sequence(name,seq)

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE %s %.*s

PRIMARY KEY missing on table %s

unable to open database: %s

database %s is already in use

too many attached databases - max %d

database %s is locked

cannot detach database %s

no such database: %s

unsupported encoding: %s

NULL value in %s.%s

*** in database %s ***

misuse of aggregate: %s()

no such column: %s

%d values for %d columns

table %S has %d columns but %d values were supplied

table %S has no column named %s

-- TRIGGER %s

use DROP VIEW to delete view %s

use DROP TABLE to delete table %s

table %s may not be dropped

sqlite_stat

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

database schema is locked: %s

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0

PRAGMA vacuum_db.synchronous=OFF

cannot VACUUM - SQL statements in progress

abort at %d in [%s]: %s

%s constraint failed

%s constraint failed: %s

statement aborts at %d: [%s] %s

database table is locked: %s

cannot change %s wal mode from within a transaction

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

cannot commit transaction - SQL statements in progress

cannot release savepoint - SQL statements in progress

no such savepoint: %s

cannot open savepoint - SQL statements in progress

cannot open value of type %s

cannot open %s column for writing

no such column: "%s"

cannot open view: %s

cannot open table without rowid: %s

cannot open virtual table: %s

indexed

foreign key

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

unsupported file format

no such table column: %s.%s

CCmdTarget

CNotSupportedException

CMFCVisualManagerWindows

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyExW

CMDIFrameWndEx

TaskDialogIndirect

CMDITabProxyWnd

CMDIChildWndEx

CMDIChildWnd

CMDIFrameWnd

CMDIClientAreaWnd

CMFCToolBarsKeyboardPropertyPage

GetProcessWindowStation

operator

portuguese-brazilian

CWebBrowser2

()$^.* ?[]|\-{},:=!

Winhttp.dll

WinHttpCrackUrl

Wininet.dll

HttpSendRequestW

HttpOpenRequestW

INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,

INSERT INTO %s (email) VALUES ('%s')

SELECT date_time, reminder_date_time, name, location, notes, send_email, id from %s where user_id = %u

SELECT email from %s where id = %u

UPDATE %s SET email = '%s' WHERE id = %u

INSERT INTO %s (date_time, reminder_date_time, name, location, notes, send_email, user_id) VALUES ('%s', '%s', '%s', '%s', '%s', %i, %u)

DELETE FROM %s WHERE id = %u

SELECT date_time, reminder_date_time, name, location, notes, send_email, user_id from %s where id = %u

GetWindowsDirectoryW

GetCPInfo

KERNEL32.dll

GetKeyState

UnhookWindowsHookEx

SetWindowsHookExW

CreateDialogIndirectParamW

GetAsyncKeyState

MapVirtualKeyW

GetKeyboardLayout

GetKeyboardState

GetKeyNameTextW

MapVirtualKeyExW

USER32.dll

GetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportOrgEx

GDI32.dll

MSIMG32.dll

COMDLG32.dll

WINSPOOL.DRV

RegOpenKeyW

RegCloseKey

RegOpenKeyExW

RegCreateKeyExW

RegDeleteKeyW

RegEnumKeyW

RegEnumKeyExW

ADVAPI32.dll

ShellExecuteW

SHELL32.dll

COMCTL32.dll

SHLWAPI.dll

ole32.dll

OLEAUT32.dll

oledlg.dll

GdiplusShutdown

gdiplus.dll

OLEACC.dll

IMM32.dll

WINMM.dll

.?AVCTestCmdUI@@

.?AVCCmdUI@@

.PAVCUserException@@

.PAVCOleException@@

.PAVCObject@@

.PAVCMemoryException@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.?AVCMFCVisualManagerWindows@@

.PAVCResourceException@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@

.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@

.?AVCMFCToolBarCmdUI@@

.?AVCMDIFrameWndEx@@

.?AVCMDIFrameWnd@@

.?AVCMFCColorBarCmdUI@@

.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@

.PAVCFileException@@

.?AVCMDITabProxyWnd@@

.?AVCMDIChildWndEx@@

.?AVCMDIChildWnd@@

.?AVCMFCCmdUsageCount@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@

.?AVCMFCRibbonCmdUI@@

.?AVCMFCAcceleratorKey@@

.?AVCMFCRibbonKeyTip@@

.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@

.?AVCMDIClientAreaWnd@@

.?AVCMFCToolBarsKeyboardPropertyPage@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@

.?AVCMFCTasksPaneToolBarCmdUI@@

.?AVCMFCAcceleratorKeyAssignCtrl@@

zcÃ

.?AVCCmdTarget@@

.?AVCWebBrowser2@@

.PAVCException@@

.?AV?$_Ref_count_del@Usqlite3@@P6AHPAU1@@Z@tr1@std@@

.P6AHPAUsqlite3@@@Z

1JTCP

p.qN3

.IDAT

.IDATH

AYO.xXO

~:v.zgu}7

s',%f

3%Cn,

&I.Ibr

HOJ.oa

u.vjB

}j.jX

cdl6.ptQf

d\'.tA

s?.jP

p.qNs2cC

.QzY(

O\.gA

.YRar

B%f#X

..nax

.mQ$(Xt

.MaeI

.HtCE

~%Uu ,

kJ%UN

".igLO

%FPf!

*"%Dv

#c$D%f

,D.Zl

.yK]EW

\.Wnp`p(

=9=%{.mnWw/

X${.mn:

23[.Iq&

v`.Ko

q.Ko#

PFTI%f

6wv.TD

V.mE&Qs;

Q`.vc

R%FO8

.aCBC

WINDOWS7_

Windows7

777888999888666

2,3034383

8Â8

8"808=8{8

; ;&;-;3;

9%9X9s9z9

:3;\;};6

8!8-83898?8

6'7-767=7

9Â9j9

<.>

3!3,323:3\3~3

8Â8v8D9W;i;r;

0&1.161>1~1

8!8%8)8-81858

; ;$;(;,;0;4;8;

? ?$?(?,?0?4?8?

= =$=(=,=0=4=8=

9 9(909

=$=,=8=\=|=

= =@=\=`=

3 383\3|3

5 5$5(5,5054585

accKeyboardShortcut

wuser32.dll

hhctrl.ocx

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

Afx:%p:%x:%p:%p:%p

Afx:%p:%x

commctrl_DragListMsg

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

KERNEL32.DLL

%s%s.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp

lX-X-x-XX-XXXXXX

UxTheme.dll

@%d%%

Advapi32.dll

Jcomctl32.dll

Jcomdlg32.dll

Jshell32.dll

mfcm100u.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

SHELL32.DLL

lXXxXXXXXXXX

dwmapi.dll

eShell32.dll

%s:%x:%x:%x:%x

%sMFCToolBar-%d%x

%sMFCToolBar-%d

%sMFCToolBarParameters

TOOLBAR_RESETKEYBAORD

%sDockingManager-%d

&%d %s

MSG_CHECKEMPTYMINIFRAME

%sPane-%d%x

%sPane-%d

USER32.DLL

MHex={X,X,X}

kernel32.dll

If:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

MFCLink_UrlPrefix

MFCLink_Url

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp

COMCTL32.DLL

KeyboardManager

%sBasePane-%d%x

%sBasePane-%d

ShowCmd

M%sMFCOutlookBar-%d%x

%sMFCOutlookBar-%d

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp

%c%d%c%s

URICHED20.DLL

%sDockablePaneAdapter-%d%x

%sDockablePaneAdapter-%d

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp

windows

Vf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp

%sMDIClientArea-%d

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp

RGB(%d, %d, %d)

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp

ENABLE_KEYS

KEYS_MENU

KEYS

%sMFCTasksPane-%d%x

%sMFCTasksPane-%d

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

\Note-UP.db

@c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl

%s (%s:%d)

%d.%m.%Y %H:%M

Content-Type: application/x-www-form-urlencoded; charset=utf-8;

hXXp://note-up.com/controllers/json_parser.php

Today, %m/%d/%Y at %I:%M %p

%A, %m/%d/%Y at %I:%M %p

v=1&tid=UA-66670216-1&cid=%s&t=event&ec=%s&ea=%s

hXXp://VVV.google-analytics.com/collect?

NSIS_Inetc (Mozilla)

Content-Type: application/x-www-form-urlencoded

%Program Files%\Note-up\Note-up.exe

AQUA_IDB_OFFICE2007_MENU_BTN%AQUA_IDB_OFFICE2007_MENU_BTN_DISABLED%AQUA_IDB_OFFICE2007_MENU_BTN_SCROLL_T"AQUA_IDB_OFFICE2007_MENU_ITEM_BACK&AQUA_IDB_OFFICE2007_MENU_ITEM_MARKER_C&AQUA_IDB_OFFICE2007_MENU_ITEM_MARKER_R$AQUA_IDB_OFFICE2007_POPUPMENU_BORDER'AQUA_IDB_OFFICE2007_POPUPMENU_RESIZEBAR/AQUA_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HV0AQUA_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HVT.AQUA_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_V(AQUA_IDB_OFFICE2007_RIBBON_BORDER_FLOATY$AQUA_IDB_OFFICE2007_RIBBON_BTN_CHECK&AQUA_IDB_OFFICE2007_RIBBON_BTN_DEFAULT,AQUA_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_IMAGE*AQUA_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT/AQUA_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT_ICON,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_C,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_M,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_C,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_M,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_C,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_M&AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUP_F&AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUP_L&AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUP_M&AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUP_S*AQUA_IDB_OFFICE2007_RIBBON_BTN_LAUNCH_ICON#AQUA_IDB_OFFICE2007_RIBBON_BTN_MAIN'AQUA_IDB_OFFICE2007_RIBBON_BTN_MENU_H_C'AQUA_IDB_OFFICE2007_RIBBON_BTN_MENU_H_M'AQUA_IDB_OFFICE2007_RIBBON_BTN_MENU_V_C'AQUA_IDB_OFFICE2007_RIBBON_BTN_MENU_V_M'AQUA_IDB_OFFICE2007_RIBBON_BTN_NORMAL_B'AQUA_IDB_OFFICE2007_RIBBON_BTN_NORMAL_S%AQUA_IDB_OFFICE2007_RIBBON_BTN_PAGE_L%AQUA_IDB_OFFICE2007_RIBBON_BTN_PAGE_R(AQUA_IDB_OFFICE2007_RIBBON_BTN_PALETTE_B(AQUA_IDB_OFFICE2007_RIBBON_BTN_PALETTE_M(AQUA_IDB_OFFICE2007_RIBBON_BTN_PALETTE_T)AQUA_IDB_OFFICE2007_RIBBON_BTN_PANEL_MAIN*AQUA_IDB_OFFICE2007_RIBBON_BTN_STATUS_PANE%AQUA_IDB_OFFICE2007_RIBBON_CAPTION_QA AQUA_IDB_OFFICE2007_RIBBON_CAPTION_QA_GLASS(AQUA_IDB_OFFICE2007_RIBBON_CATEGORY_BACK'AQUA_IDB_OFFICE2007_RIBBON_CATEGORY_TAB0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_B_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_TAB0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_G_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_TAB0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_I_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_TAB0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_O_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_TAB/AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_B/AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_T0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_R_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_TAB,AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_SEPARATOR0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_V_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_TAB0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_Y_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_TAB&AQUA_IDB_OFFICE2007_RIBBON_KEYTIP_BACK'AQUA_IDB_OFFICE2007_RIBBON_PANEL_BACK_B'AQUA_IDB_OFFICE2007_RIBBON_PANEL_BACK_T*AQUA_IDB_OFFICE2007_RIBBON_PANEL_SEPARATOR(AQUA_IDB_OFFICE2007_RIBBON_PROGRESS_BACK,AQUA_IDB_OFFICE2007_RIBBON_PROGRESS_INFINITY*AQUA_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL.AQUA_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL_EXT AQUA_IDB_OFFICE2007_RIBBON_SLIDER_BTN_MINUS*AQUA_IDB_OFFICE2007_RIBBON_SLIDER_BTN_PLUS'AQUA_IDB_OFFICE2007_RIBBON_SLIDER_THUMB"AQUA_IDB_OFFICE2007_STATUSBAR_BACK&AQUA_IDB_OFFICE2007_STATUSBAR_BACK_EXT(AQUA_IDB_OFFICE2007_STATUSBAR_PANEBORDER%AQUA_IDB_OFFICE2007_STATUSBAR_SIZEBOX AQUA_IDB_OFFICE2007_SYS_BTN_BACK"AQUA_IDB_OFFICE2007_SYS_BTN_BACK_S!AQUA_IDB_OFFICE2007_SYS_BTN_CLOSE#AQUA_IDB_OFFICE2007_SYS_BTN_CLOSE_S$AQUA_IDB_OFFICE2007_SYS_BTN_MAXIMIZE&AQUA_IDB_OFFICE2007_SYS_BTN_MAXIMIZE_S$AQUA_IDB_OFFICE2007_SYS_BTN_MINIMIZE&AQUA_IDB_OFFICE2007_SYS_BTN_MINIMIZE_S#AQUA_IDB_OFFICE2007_SYS_BTN_RESTORE%AQUA_IDB_OFFICE2007_SYS_BTN_RESTORE_S

BLACK_IDB_OFFICE2007_MENU_BTN&BLACK_IDB_OFFICE2007_MENU_BTN_DISABLED&BLACK_IDB_OFFICE2007_MENU_BTN_SCROLL_T,BLACK_IDB_OFFICE2007_MENU_BTN_VERT_SEPARATOR#BLACK_IDB_OFFICE2007_MENU_ITEM_BACK'BLACK_IDB_OFFICE2007_MENU_ITEM_MARKER_C'BLACK_IDB_OFFICE2007_MENU_ITEM_MARKER_R%BLACK_IDB_OFFICE2007_OUTLOOK_BAR_BACK%BLACK_IDB_OFFICE2007_OUTLOOK_BTN_PAGE%BLACK_IDB_OFFICE2007_POPUPMENU_BORDER(BLACK_IDB_OFFICE2007_POPUPMENU_RESIZEBAR0BLACK_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HV1BLACK_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HVT/BLACK_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_V)BLACK_IDB_OFFICE2007_RIBBON_BORDER_FLOATY&BLACK_IDB_OFFICE2007_RIBBON_BORDER_QAT%BLACK_IDB_OFFICE2007_RIBBON_BTN_CHECK'BLACK_IDB_OFFICE2007_RIBBON_BTN_DEFAULT,BLACK_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_ICON-BLACK_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_IMAGE BLACK_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT0BLACK_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT_ICON-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_C-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_M-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_C-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_M-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_C-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_M'BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUP_F'BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUP_L'BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUP_M'BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUP_S&BLACK_IDB_OFFICE2007_RIBBON_BTN_LAUNCH BLACK_IDB_OFFICE2007_RIBBON_BTN_LAUNCH_ICON$BLACK_IDB_OFFICE2007_RIBBON_BTN_MAIN(BLACK_IDB_OFFICE2007_RIBBON_BTN_MENU_H_C(BLACK_IDB_OFFICE2007_RIBBON_BTN_MENU_H_M(BLACK_IDB_OFFICE2007_RIBBON_BTN_MENU_V_C(BLACK_IDB_OFFICE2007_RIBBON_BTN_MENU_V_M(BLACK_IDB_OFFICE2007_RIBBON_BTN_NORMAL_B(BLACK_IDB_OFFICE2007_RIBBON_BTN_NORMAL_S&BLACK_IDB_OFFICE2007_RIBBON_BTN_PAGE_L&BLACK_IDB_OFFICE2007_RIBBON_BTN_PAGE_R)BLACK_IDB_OFFICE2007_RIBBON_BTN_PALETTE_B)BLACK_IDB_OFFICE2007_RIBBON_BTN_PALETTE_M)BLACK_IDB_OFFICE2007_RIBBON_BTN_PALETTE_T*BLACK_IDB_OFFICE2007_RIBBON_BTN_PANEL_MAIN BLACK_IDB_OFFICE2007_RIBBON_BTN_STATUS_PANE&BLACK_IDB_OFFICE2007_RIBBON_CAPTION_QA,BLACK_IDB_OFFICE2007_RIBBON_CAPTION_QA_GLASS)BLACK_IDB_OFFICE2007_RIBBON_CATEGORY_BACK(BLACK_IDB_OFFICE2007_RIBBON_CATEGORY_TAB,BLACK_IDB_OFFICE2007_RIBBON_CATEGORY_TAB_SEP1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_B_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_TAB1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_G_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_TAB1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_I_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_TAB1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_O_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_TAB0BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_B0BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_T1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_R_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_TAB-BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_SEPARATOR1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_V_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_TAB1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_Y_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_TAB'BLACK_IDB_OFFICE2007_RIBBON_KEYTIP_BACK(BLACK_IDB_OFFICE2007_RIBBON_PANEL_BACK_B(BLACK_IDB_OFFICE2007_RIBBON_PANEL_BACK_T&BLACK_IDB_OFFICE2007_RIBBON_PANEL_MAIN-BLACK_IDB_OFFICE2007_RIBBON_PANEL_MAIN_BORDER%BLACK_IDB_OFFICE2007_RIBBON_PANEL_QAT BLACK_IDB_OFFICE2007_RIBBON_PANEL_SEPARATOR)BLACK_IDB_OFFICE2007_RIBBON_PROGRESS_BACK-BLACK_IDB_OFFICE2007_RIBBON_PROGRESS_INFINITY BLACK_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL/BLACK_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL_EXT,BLACK_IDB_OFFICE2007_RIBBON_SLIDER_BTN_MINUS BLACK_IDB_OFFICE2007_RIBBON_SLIDER_BTN_PLUS(BLACK_IDB_OFFICE2007_RIBBON_SLIDER_THUMB#BLACK_IDB_OFFICE2007_STATUSBAR_BACK'BLACK_IDB_OFFICE2007_STATUSBAR_BACK_EXT)BLACK_IDB_OFFICE2007_STATUSBAR_PANEBORDER&BLACK_IDB_OFFICE2007_STATUSBAR_SIZEBOX!BLACK_IDB_OFFICE2007_SYS_BTN_BACK#BLACK_IDB_OFFICE2007_SYS_BTN_BACK_S"BLACK_IDB_OFFICE2007_SYS_BTN_CLOSE$BLACK_IDB_OFFICE2007_SYS_BTN_CLOSE_S%BLACK_IDB_OFFICE2007_SYS_BTN_MAXIMIZE'BLACK_IDB_OFFICE2007_SYS_BTN_MAXIMIZE_S%BLACK_IDB_OFFICE2007_SYS_BTN_MINIMIZE'BLACK_IDB_OFFICE2007_SYS_BTN_MINIMIZE_S$BLACK_IDB_OFFICE2007_SYS_BTN_RESTORE&BLACK_IDB_OFFICE2007_SYS_BTN_RESTORE_S

BLUE_IDB_OFFICE2007_MENU_BTN%BLUE_IDB_OFFICE2007_MENU_BTN_DISABLED%BLUE_IDB_OFFICE2007_MENU_BTN_SCROLL_T BLUE_IDB_OFFICE2007_MENU_BTN_VERT_SEPARATOR"BLUE_IDB_OFFICE2007_MENU_ITEM_BACK&BLUE_IDB_OFFICE2007_MENU_ITEM_MARKER_C&BLUE_IDB_OFFICE2007_MENU_ITEM_MARKER_R$BLUE_IDB_OFFICE2007_OUTLOOK_BAR_BACK$BLUE_IDB_OFFICE2007_OUTLOOK_BTN_PAGE$BLUE_IDB_OFFICE2007_POPUPMENU_BORDER'BLUE_IDB_OFFICE2007_POPUPMENU_RESIZEBAR/BLUE_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HV0BLUE_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HVT.BLUE_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_V(BLUE_IDB_OFFICE2007_RIBBON_BORDER_FLOATY%BLUE_IDB_OFFICE2007_RIBBON_BORDER_QAT$BLUE_IDB_OFFICE2007_RIBBON_BTN_CHECK&BLUE_IDB_OFFICE2007_RIBBON_BTN_DEFAULT BLUE_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_ICON,BLUE_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_IMAGE*BLUE_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT/BLUE_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT_ICON,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_C,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_M,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_C,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_M,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_C,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_M&BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUP_F&BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUP_L&BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUP_M&BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUP_S%BLUE_IDB_OFFICE2007_RIBBON_BTN_LAUNCH*BLUE_IDB_OFFICE2007_RIBBON_BTN_LAUNCH_ICON#BLUE_IDB_OFFICE2007_RIBBON_BTN_MAIN'BLUE_IDB_OFFICE2007_RIBBON_BTN_MENU_H_C'BLUE_IDB_OFFICE2007_RIBBON_BTN_MENU_H_M'BLUE_IDB_OFFICE2007_RIBBON_BTN_MENU_V_C'BLUE_IDB_OFFICE2007_RIBBON_BTN_MENU_V_M'BLUE_IDB_OFFICE2007_RIBBON_BTN_NORMAL_B'BLUE_IDB_OFFICE2007_RIBBON_BTN_NORMAL_S%BLUE_IDB_OFFICE2007_RIBBON_BTN_PAGE_L%BLUE_IDB_OFFICE2007_RIBBON_BTN_PAGE_R(BLUE_IDB_OFFICE2007_RIBBON_BTN_PALETTE_B(BLUE_IDB_OFFICE2007_RIBBON_BTN_PALETTE_M(BLUE_IDB_OFFICE2007_RIBBON_BTN_PALETTE_T)BLUE_IDB_OFFICE2007_RIBBON_BTN_PANEL_MAIN*BLUE_IDB_OFFICE2007_RIBBON_BTN_STATUS_PANE%BLUE_IDB_OFFICE2007_RIBBON_CAPTION_QA BLUE_IDB_OFFICE2007_RIBBON_CAPTION_QA_GLASS(BLUE_IDB_OFFICE2007_RIBBON_CATEGORY_BACK'BLUE_IDB_OFFICE2007_RIBBON_CATEGORY_TAB BLUE_IDB_OFFICE2007_RIBBON_CATEGORY_TAB_SEP0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_B_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_TAB0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_G_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_TAB0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_I_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_TAB0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_O_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_TAB/BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_B/BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_T0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_R_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_TAB,BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_SEPARATOR0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_V_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_TAB0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_Y_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_TAB&BLUE_IDB_OFFICE2007_RIBBON_KEYTIP_BACK'BLUE_IDB_OFFICE2007_RIBBON_PANEL_BACK_B'BLUE_IDB_OFFICE2007_RIBBON_PANEL_BACK_T%BLUE_IDB_OFFICE2007_RIBBON_PANEL_MAIN,BLUE_IDB_OFFICE2007_RIBBON_PANEL_MAIN_BORDER$BLUE_IDB_OFFICE2007_RIBBON_PANEL_QAT*BLUE_IDB_OFFICE2007_RIBBON_PANEL_SEPARATOR(BLUE_IDB_OFFICE2007_RIBBON_PROGRESS_BACK,BLUE_IDB_OFFICE2007_RIBBON_PROGRESS_INFINITY*BLUE_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL.BLUE_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL_EXT BLUE_IDB_OFFICE2007_RIBBON_SLIDER_BTN_MINUS*BLUE_IDB_OFFICE2007_RIBBON_SLIDER_BTN_PLUS'BLUE_IDB_OFFICE2007_RIBBON_SLIDER_THUMB"BLUE_IDB_OFFICE2007_STATUSBAR_BACK&BLUE_IDB_OFFICE2007_STATUSBAR_BACK_EXT(BLUE_IDB_OFFICE2007_STATUSBAR_PANEBORDER%BLUE_IDB_OFFICE2007_STATUSBAR_SIZEBOX BLUE_IDB_OFFICE2007_SYS_BTN_BACK"BLUE_IDB_OFFICE2007_SYS_BTN_BACK_S!BLUE_IDB_OFFICE2007_SYS_BTN_CLOSE#BLUE_IDB_OFFICE2007_SYS_BTN_CLOSE_S$BLUE_IDB_OFFICE2007_SYS_BTN_MAXIMIZE&BLUE_IDB_OFFICE2007_SYS_BTN_MAXIMIZE_S$BLUE_IDB_OFFICE2007_SYS_BTN_MINIMIZE&BLUE_IDB_OFFICE2007_SYS_BTN_MINIMIZE_S#BLUE_IDB_OFFICE2007_SYS_BTN_RESTORE%BLUE_IDB_OFFICE2007_SYS_BTN_RESTORE_S

SILVER_IDB_OFFICE2007_MENU_BTN'SILVER_IDB_OFFICE2007_MENU_BTN_DISABLED'SILVER_IDB_OFFICE2007_MENU_BTN_SCROLL_T-SILVER_IDB_OFFICE2007_MENU_BTN_VERT_SEPARATOR$SILVER_IDB_OFFICE2007_MENU_ITEM_BACK(SILVER_IDB_OFFICE2007_MENU_ITEM_MARKER_C(SILVER_IDB_OFFICE2007_MENU_ITEM_MARKER_R&SILVER_IDB_OFFICE2007_OUTLOOK_BAR_BACK&SILVER_IDB_OFFICE2007_OUTLOOK_BTN_PAGE&SILVER_IDB_OFFICE2007_POPUPMENU_BORDER)SILVER_IDB_OFFICE2007_POPUPMENU_RESIZEBAR1SILVER_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HV2SILVER_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HVT0SILVER_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_V*SILVER_IDB_OFFICE2007_RIBBON_BORDER_FLOATY'SILVER_IDB_OFFICE2007_RIBBON_BORDER_QAT&SILVER_IDB_OFFICE2007_RIBBON_BTN_CHECK(SILVER_IDB_OFFICE2007_RIBBON_BTN_DEFAULT-SILVER_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_ICON.SILVER_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_IMAGE,SILVER_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT1SILVER_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT_ICON.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_C.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_M.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_C.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_M.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_C.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_M(SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUP_F(SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUP_L(SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUP_M(SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUP_S'SILVER_IDB_OFFICE2007_RIBBON_BTN_LAUNCH,SILVER_IDB_OFFICE2007_RIBBON_BTN_LAUNCH_ICON%SILVER_IDB_OFFICE2007_RIBBON_BTN_MAIN)SILVER_IDB_OFFICE2007_RIBBON_BTN_MENU_H_C)SILVER_IDB_OFFICE2007_RIBBON_BTN_MENU_H_M)SILVER_IDB_OFFICE2007_RIBBON_BTN_MENU_V_C)SILVER_IDB_OFFICE2007_RIBBON_BTN_MENU_V_M)SILVER_IDB_OFFICE2007_RIBBON_BTN_NORMAL_B)SILVER_IDB_OFFICE2007_RIBBON_BTN_NORMAL_S'SILVER_IDB_OFFICE2007_RIBBON_BTN_PAGE_L'SILVER_IDB_OFFICE2007_RIBBON_BTN_PAGE_R*SILVER_IDB_OFFICE2007_RIBBON_BTN_PALETTE_B*SILVER_IDB_OFFICE2007_RIBBON_BTN_PALETTE_M*SILVER_IDB_OFFICE2007_RIBBON_BTN_PALETTE_T SILVER_IDB_OFFICE2007_RIBBON_BTN_PANEL_MAIN,SILVER_IDB_OFFICE2007_RIBBON_BTN_STATUS_PANE'SILVER_IDB_OFFICE2007_RIBBON_CAPTION_QA-SILVER_IDB_OFFICE2007_RIBBON_CAPTION_QA_GLASS*SILVER_IDB_OFFICE2007_RIBBON_CATEGORY_BACK)SILVER_IDB_OFFICE2007_RIBBON_CATEGORY_TAB-SILVER_IDB_OFFICE2007_RIBBON_CATEGORY_TAB_SEP2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_B_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_TAB2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_G_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_TAB2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_I_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_TAB2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_O_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_TAB1SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_B1SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_T2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_R_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_TAB.SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_SEPARATOR2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_V_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_TAB2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_Y_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_TAB(SILVER_IDB_OFFICE2007_RIBBON_KEYTIP_BACK)SILVER_IDB_OFFICE2007_RIBBON_PANEL_BACK_B)SILVER_IDB_OFFICE2007_RIBBON_PANEL_BACK_T'SILVER_IDB_OFFICE2007_RIBBON_PANEL_MAIN.SILVER_IDB_OFFICE2007_RIBBON_PANEL_MAIN_BORDER&SILVER_IDB_OFFICE2007_RIBBON_PANEL_QAT,SILVER_IDB_OFFICE2007_RIBBON_PANEL_SEPARATOR*SILVER_IDB_OFFICE2007_RIBBON_PROGRESS_BACK.SILVER_IDB_OFFICE2007_RIBBON_PROGRESS_INFINITY,SILVER_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL0SILVER_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL_EXT-SILVER_IDB_OFFICE2007_RIBBON_SLIDER_BTN_MINUS,SILVER_IDB_OFFICE2007_RIBBON_SLIDER_BTN_PLUS)SILVER_IDB_OFFICE2007_RIBBON_SLIDER_THUMB$SILVER_IDB_OFFICE2007_STATUSBAR_BACK(SILVER_IDB_OFFICE2007_STATUSBAR_BACK_EXT*SILVER_IDB_OFFICE2007_STATUSBAR_PANEBORDER'SILVER_IDB_OFFICE2007_STATUSBAR_SIZEBOX"SILVER_IDB_OFFICE2007_SYS_BTN_BACK$SILVER_IDB_OFFICE2007_SYS_BTN_BACK_S#SILVER_IDB_OFFICE2007_SYS_BTN_CLOSE%SILVER_IDB_OFFICE2007_SYS_BTN_CLOSE_S&SILVER_IDB_OFFICE2007_SYS_BTN_MAXIMIZE(SILVER_IDB_OFFICE2007_SYS_BTN_MAXIMIZE_S&SILVER_IDB_OFFICE2007_SYS_BTN_MINIMIZE(SILVER_IDB_OFFICE2007_SYS_BTN_MINIMIZE_S%SILVER_IDB_OFFICE2007_SYS_BTN_RESTORE'SILVER_IDB_OFFICE2007_SYS_BTN_RESTORE_S

WINDOWS7_IDB_COMBOBOX_BTN

WINDOWS7_IDB_MENU_BTN

WINDOWS7_IDB_MENU_BTN_DISABLED

WINDOWS7_IDB_MENU_ITEM_BACK

WINDOWS7_IDB_MENU_ITEM_MARKER_C

WINDOWS7_IDB_MENU_ITEM_MARKER_R

WINDOWS7_IDB_RIBBON_BORDER_QAT

WINDOWS7_IDB_RIBBON_BTN_DEFAULT$WINDOWS7_IDB_RIBBON_BTN_DEFAULT_ICON%WINDOWS7_IDB_RIBBON_BTN_DEFAULT_IMAGE#WINDOWS7_IDB_RIBBON_BTN_DEFAULT_QAT%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_F_C%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_F_M%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_L_C%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_L_M%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_M_C%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_M_M

WINDOWS7_IDB_RIBBON_BTN_GROUP_F

WINDOWS7_IDB_RIBBON_BTN_GROUP_L

WINDOWS7_IDB_RIBBON_BTN_GROUP_M

WINDOWS7_IDB_RIBBON_BTN_GROUP_S

WINDOWS7_IDB_RIBBON_BTN_LAUNCH#WINDOWS7_IDB_RIBBON_BTN_LAUNCH_ICON

WINDOWS7_IDB_RIBBON_BTN_MAIN WINDOWS7_IDB_RIBBON_BTN_MENU_H_C WINDOWS7_IDB_RIBBON_BTN_MENU_H_M WINDOWS7_IDB_RIBBON_BTN_MENU_V_C WINDOWS7_IDB_RIBBON_BTN_MENU_V_M WINDOWS7_IDB_RIBBON_BTN_NORMAL_B WINDOWS7_IDB_RIBBON_BTN_NORMAL_S

WINDOWS7_IDB_RIBBON_BTN_PAGE_L

WINDOWS7_IDB_RIBBON_BTN_PAGE_R!WINDOWS7_IDB_RIBBON_BTN_PALETTE_B!WINDOWS7_IDB_RIBBON_BTN_PALETTE_M!WINDOWS7_IDB_RIBBON_BTN_PALETTE_T#WINDOWS7_IDB_RIBBON_BTN_STATUS_PANE

WINDOWS7_IDB_RIBBON_CAPTION_QA!WINDOWS7_IDB_RIBBON_CATEGORY_BACK WINDOWS7_IDB_RIBBON_CATEGORY_TAB$WINDOWS7_IDB_RIBBON_CATEGORY_TAB_SEP"WINDOWS7_IDB_RIBBON_PANEL_BACK_SEP

WINDOWS7_IDB_RIBBON_PANEL_MAIN$WINDOWS7_IDB_RIBBON_SLIDER_BTN_MINUS#WINDOWS7_IDB_RIBBON_SLIDER_BTN_PLUS

WINDOWS7_IDX_STYLE

{8856F961-340A-11D0-A96B-00C04FD705A2}

Keyboard

C&urrent Keys:

Press &New Shortcut Key:

Show shortcut &keys in ScreenTips

Windows

Help Keyboard

Keyboard shortcuts:

Customize Keyboard

Press &new shortcut key:

Can't create a new image!,Can't paste bitmap image from the clipboard!2You can paste bitmap with the size (%d x %d) only!

Move Item DownrExecutable (*.exe)|*.exe|Command (*.com)|*.com|Information (*.pdf)|*.pdf|Batch (*.bat)|*.bat|All Files (*.*)|*.*||

You may define up to %d tools.

Expand (%s)

Keys

Default Menu=Default application menu. Appears when no documents are open.[-------------------------------------------------------------------------------------------.Do you really want to delete the toolbar '%s'?

All CommandsLAll your changes will be lost! Do you really want to reset the toolbar '%s'?RAll your changes will be lost! Do you really want to reset all toolbars and menus?IAll your changes will be lost! Do you really want to reset the menu '%s'?

DefaultTAll your changes will be lost! Do you really want to reset the keyboard assignments?

4You can't create more than %d user-defined toolbars!

Undo %d Actions

Row %d of %d

Row %d-%d of %d

All Files (*.*)

No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.

#Unable to load mail system support.

Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents

%s [Recovered]

1.0.0.1

Note-UP.exe