Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: bc83b3dd2f5ba625f22909c0e5e583f6
SHA1: e1fcd90cbc74db98871e59da867c4e221cefdbd7
SHA256: 41c825dae9664ef09a867b7edd95912cbe17f1806272543f59604daa30e50b37
SSDeep: 6144:Meu06aGygCzvDQL OTDLmC3RCAeL7xR8ZhDRPB:fDjGyA3LTRCRL769B
Size: 282760 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-11-27 08:18:53
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:348
vknasetup.exe:1632
Mutexes
The following mutexes were created/opened:
_VKNOTE_WEBINSTALLER_
File activity
The process %original file name%.exe:348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\extra.dll (6147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vknasetup.exe (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\sign.dll (261 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\nsJSON.dll (7 bytes)
%System%\wbem\Logs\wbemprox.log (75 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vknasetup.exe.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp (0 bytes)
The process vknasetup.exe:1632 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\extra.dll (6106 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\header.bmp (4232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\System.dll (11 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsu3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp (0 bytes)
Registry activity
The process %original file name%.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 74 8B 58 B5 AB 57 FF 56 75 D6 AD 32 9D A1 2E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process vknasetup.exe:1632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 0B AD 60 4B 42 0F 98 CC 55 B9 B8 AE C2 46 BA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
MD5 | File path |
---|---|
bf712f32249029466fa86756f5546950 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsa4.tmp\System.dll |
ddc0cd4c52586a7d90e498a660f4c771 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsa4.tmp\extra.dll |
4ccc4a742d4423f2f0ed744fd9c81f63 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsa4.tmp\nsDialogs.dll |
41896ee5c4cddce1356d6c4e12727cd6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nso2.tmp\extra.dll |
78b913fcd04259634a5e901c616e6074 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nso2.tmp\nsJSON.dll |
d30b6c8d2f38e6abbb2f39bac0808bc0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nso2.tmp\sign.dll |
7eac61ec623a582d899ff4a84bd7e830 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\vknasetup.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\extra.dll (6147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vknasetup.exe (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\sign.dll (261 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\nsJSON.dll (7 bytes)
%System%\wbem\Logs\wbemprox.log (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\extra.dll (6106 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\header.bmp (4232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\System.dll (11 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 1609728 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 1613824 | 24576 | 23552 | 5.45617 | f93d4e5387750890f531b88cdd16b1bf |
.rsrc | 1638400 | 36864 | 34816 | 3.91336 | dc192cebce156bc2336d110fe6d0c197 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
2dbfcaa93c9bb4ef62335e602d4ddf7e
Network Activity
URLs
URL | IP |
---|---|
hxxp://api.vknote.com/installer/get/?language=us&os=XP.SP3&admin=1&v=040214&ref=tc266.cwer1.0.001.271036e719&source=s1&av=b64-uTm90IEZvdW5k | 78.140.170.120 |
hxxp://update.vknote.com/installers/vknotesetup.exe | 78.140.176.132 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /installers/vknotesetup.exe HTTP/1.1
Host: update.vknote.com
Accept: */*
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 30 Sep 2014 01:24:27 GMT
Content-Type: application/octet-stream
Content-Length: 1562536
Connection: keep-alive
Last-Modified: Fri, 21 Feb 2014 13:02:27 GMT
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................J.......J...........%....:.......:.......:......Rich....................PE..L......R.................r...j...B...8............@.......................... .....I[......................................@...........(............................................................................................................text....q.......r.................. ..`.rdata..n .......,...v..............@..@.data.... ..........................@....ndata...................................rsrc...(...........................@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......G..H.P.u..u..u.....@..B...SV.5..G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M.........3..M.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...w....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h.jG.W....@..u.W...u....E.P.u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.S....G.V.
<<< skipped >>>
GET /installer/get/?language=us&os=XP.SP3&admin=1&v=040214&ref=tc266.cwer1.0.001.271036e719&source=s1&av=b64-uTm90IEZvdW5k HTTP/1.1
Host: api.vknote.com
Accept: */*
HTTP/1.1 200 OK
Date: Tue, 30 Sep 2014 01:24:27 GMT
Server: Apache/2.2.22 (Ubuntu)
Content-Length: 94
Connection: close
Content-Type: text/html; charset=UTF-8
hXXp://update.vknote.com/installers/vknotesetup.exe,1562536,7eac61ec623a582d899ff4a84bd7e830,1..
GET /installers/vknotesetup.exe HTTP/1.1
Host: update.vknote.com
Accept: */*
Range: bytes=0-
HTTP/1.1 206 Partial Content
Server: nginx
Date: Tue, 30 Sep 2014 01:24:28 GMT
Content-Type: application/octet-stream
Content-Length: 1562536
Connection: keep-alive
Last-Modified: Fri, 21 Feb 2014 13:02:27 GMT
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Content-Range: bytes 0-1562535/1562536
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................J.......J...........%....:.......:.......:......Rich....................PE..L......R.................r...j...B...8............@.......................... .....I[......................................@...........(............................................................................................................text....q.......r.................. ..`.rdata..n .......,...v..............@..@.data.... ..........................@....ndata...................................rsrc...(...........................@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......G..H.P.u..u..u.....@..B...SV.5..G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M.........3..M.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...w....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h.jG.W....@..u.W...u....E.P.u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.S....G.V.
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_348:
`.rsrc
`.rsrc
RegDeleteKeyExW
RegDeleteKeyExW
Kernel32.DLL
Kernel32.DLL
PSAPI.DLL
PSAPI.DLL
%s=%s
%s=%s
r&%u<:>
r&%u<:>
*jÚ
*jÚ
D?-k}
D?-k}
.rsrc
.rsrc
} .rdR
} .rdR
KERNEL32.DLL
KERNEL32.DLL
USER32.dll
USER32.dll
nsJSON.dll
nsJSON.dll
23456789:;
23456789:;
C:\W?
C:\W?
.pdb_
.pdb_
zcÃ
zcÃ
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
sign.dll
sign.dll
Pdl6*.iCZ
Pdl6*.iCZ
E*q.AY
E*q.AY
.oK!,
.oK!,
K.DHLD
K.DHLD
K.PTX
K.PTX
GetWindowsDirectoryW
GetWindowsDirectoryW
RegEnumKeyW
RegEnumKeyW
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyExW
RegCreateKeyExW
ShellExecuteW
ShellExecuteW
SHFileOperationW
SHFileOperationW
GetAsyncKeyState
GetAsyncKeyState
ExitWindowsEx
ExitWindowsEx
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
fr.sLo$upV
fr.sLo$upV
KeyExJADV
KeyExJADV
Na
Na
%fmaLLT
%fmaLLT
Nullsoft Install System v2.46.5-Unicode
Nullsoft Install System v2.46.5-Unicode
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
SHELL32.dll
SHELL32.dll
VERSION.dll
VERSION.dll
logging set to %d
logging set to %d
settings logging to %d
settings logging to %d
created uninstaller: %d, "%s"
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: success ("%s")
Exec: command="%s"
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exch: stack
Exch: stack
RMDir: "%s"
RMDir: "%s"
MessageBox: %d,"%s"
MessageBox: %d,"%s"
Delete: "%s"
Delete: "%s"
File: wrote %d to "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename failed: %s
Rename on reboot: %s
Rename on reboot: %s
Rename: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
SetFileAttributes: "%s":X
Sleep(%d)
Sleep(%d)
detailprint: %s
detailprint: %s
Call: %d
Call: %d
Aborting: "%s"
Aborting: "%s"
Jump: %d
Jump: %d
verifying installer: %d%%
verifying installer: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
install.log
install.log
%u.%u%s%s
%u.%u%s%s
Skipping section: "%s"
Skipping section: "%s"
Section: "%s"
Section: "%s"
New install of "%s" to "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
*?|/":
*?|/":
invalid registry key
invalid registry key
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
x%c
x%c
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
%s: failed opening file "%s"
m\LOCALS~1\Temp\nso2.tmp\extra.dll
m\LOCALS~1\Temp\nso2.tmp\extra.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso2.tmp\extra.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso2.tmp\extra.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso2.tmp
1.0.1.0
1.0.1.0
nso2.tmp
nso2.tmp
File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso2.tmp\extra.dll" (overwriteflag=1)
File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso2.tmp\extra.dll" (overwriteflag=1)
2.tmp\extra.dll"
2.tmp\extra.dll"
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso2.tmp
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso2.tmp
-x vknotesetup -r "tc266.cwer1.0.001.271036e719"
-x vknotesetup -r "tc266.cwer1.0.001.271036e719"
hXXp://update.vknote.com/installers/vknotesetup.exe
hXXp://update.vknote.com/installers/vknotesetup.exe
1562536
1562536
c:\%original file name%.exe
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
tc266.cwer1.0.001.271036e719
tc266.cwer1.0.001.271036e719
XP.SP3
XP.SP3
hXXp://vknote.com
hXXp://vknote.com
hXXp://api.vknote.com
hXXp://api.vknote.com
hXXp://update.vknote.com
hXXp://update.vknote.com
_VKNOTE_WEBINSTALLER_
_VKNOTE_WEBINSTALLER_
vknote.bin
vknote.bin
vknote.exe
vknote.exe
vknasetup.exe
vknasetup.exe
default.exe
default.exe
%original file name%.exe_348_rwx_00401000_0018E000:
RegDeleteKeyExW
RegDeleteKeyExW
Kernel32.DLL
Kernel32.DLL
PSAPI.DLL
PSAPI.DLL
%s=%s
%s=%s
r&%u<:>
r&%u<:>
*jÚ
*jÚ
D?-k}
D?-k}
.rsrc
.rsrc
} .rdR
} .rdR
KERNEL32.DLL
KERNEL32.DLL
USER32.dll
USER32.dll
nsJSON.dll
nsJSON.dll
23456789:;
23456789:;
C:\W?
C:\W?
.pdb_
.pdb_
zcÃ
zcÃ
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
sign.dll
sign.dll
Pdl6*.iCZ
Pdl6*.iCZ
E*q.AY
E*q.AY
.oK!,
.oK!,
K.DHLD
K.DHLD
K.PTX
K.PTX
GetWindowsDirectoryW
GetWindowsDirectoryW
RegEnumKeyW
RegEnumKeyW
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyExW
RegCreateKeyExW
ShellExecuteW
ShellExecuteW
SHFileOperationW
SHFileOperationW
GetAsyncKeyState
GetAsyncKeyState
ExitWindowsEx
ExitWindowsEx
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
fr.sLo$upV
fr.sLo$upV
KeyExJADV
KeyExJADV
logging set to %d
logging set to %d
settings logging to %d
settings logging to %d
created uninstaller: %d, "%s"
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: success ("%s")
Exec: command="%s"
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exch: stack
Exch: stack
RMDir: "%s"
RMDir: "%s"
MessageBox: %d,"%s"
MessageBox: %d,"%s"
Delete: "%s"
Delete: "%s"
File: wrote %d to "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename failed: %s
Rename on reboot: %s
Rename on reboot: %s
Rename: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
SetFileAttributes: "%s":X
Sleep(%d)
Sleep(%d)
detailprint: %s
detailprint: %s
Call: %d
Call: %d
Aborting: "%s"
Aborting: "%s"
Jump: %d
Jump: %d
verifying installer: %d%%
verifying installer: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
install.log
install.log
%u.%u%s%s
%u.%u%s%s
Skipping section: "%s"
Skipping section: "%s"
Section: "%s"
Section: "%s"
New install of "%s" to "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
*?|/":
*?|/":
invalid registry key
invalid registry key
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
x%c
x%c
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
%s: failed opening file "%s"
m\LOCALS~1\Temp\nso2.tmp\extra.dll
m\LOCALS~1\Temp\nso2.tmp\extra.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso2.tmp\extra.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso2.tmp\extra.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso2.tmp
1.0.1.0
1.0.1.0
nso2.tmp
nso2.tmp
File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso2.tmp\extra.dll" (overwriteflag=1)
File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso2.tmp\extra.dll" (overwriteflag=1)
2.tmp\extra.dll"
2.tmp\extra.dll"
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso2.tmp
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso2.tmp
-x vknotesetup -r "tc266.cwer1.0.001.271036e719"
-x vknotesetup -r "tc266.cwer1.0.001.271036e719"
hXXp://update.vknote.com/installers/vknotesetup.exe
hXXp://update.vknote.com/installers/vknotesetup.exe
1562536
1562536
c:\%original file name%.exe
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
tc266.cwer1.0.001.271036e719
tc266.cwer1.0.001.271036e719
XP.SP3
XP.SP3
hXXp://vknote.com
hXXp://vknote.com
hXXp://api.vknote.com
hXXp://api.vknote.com
hXXp://update.vknote.com
hXXp://update.vknote.com
_VKNOTE_WEBINSTALLER_
_VKNOTE_WEBINSTALLER_
vknote.bin
vknote.bin
vknote.exe
vknote.exe
vknasetup.exe
vknasetup.exe
default.exe
default.exe
%original file name%.exe_348_rwx_01151000_00067000:
TT T!"TT#$TTTT%&'TTT(T)*T TTT,-.TT/0123TTTTTT4TTTTTTT5TTTTTT6789:;TTTTTTTT?@ABCDTTTTETTTTFTTTTTTGTTHITTTTTJKTTTLLTTMTTTTTTTTTNTTOTPQRS
TT T!"TT#$TTTT%&'TTT(T)*T TTT,-.TT/0123TTTTTT4TTTTTTT5TTTTTT6789:;TTTTTTTT?@ABCDTTTTETTTTFTTTTTTGTTHITTTTTJKTTTLLTTMTTTTTTTTTNTTOTPQRS
!"FFF#F$Fÿ&F'()FFFFFFFFFFFFF*FFFFFFFFFFFF FF,-FFFFFFFFFFF.F/FFFFFFFFFFFFFF01FF234FF56789FFFFFFFF:;FFFF?FFFFF@ABFFFFFCFDFFFFFE
!"FFF#F$Fÿ&F'()FFFFFFFFFFFFF*FFFFFFFFFFFF FF,-FFFFFFFFFFF.F/FFFFFFFFFFFFFF01FF234FF56789FFFFFFFF:;FFFF?FFFFF@ABFFFFFCFDFFFFFE
%u$Vj%
%u$Vj%
t.Gj:W
t.Gj:W
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
Could not resolve %s: %s; %s
Could not resolve %s: %s; %s
getaddrinfo() failed for %s:%d; %s
getaddrinfo() failed for %s:%d; %s
init_resolve_thread() failed for %s; %s
init_resolve_thread() failed for %s; %s
%s:%d
%s:%d
Added %s:%d:%s to DNS cache
Added %s:%d:%s to DNS cache
Resolve %s found illegal!
Resolve %s found illegal!
%5[^:]:%d:%5s
%5[^:]:%d:%5s
About to connect() to %s%s port %ld (#%ld)
About to connect() to %s%s port %ld (#%ld)
Connected to %s (%s) port %ld (#%ld)
Connected to %s (%s) port %ld (#%ld)
IDN support not present, can't parse Unicode domains
IDN support not present, can't parse Unicode domains
Protocol %s not supported or disabled in libcurl
Protocol %s not supported or disabled in libcurl
http_proxy
http_proxy
%5[^:@]:%5[^@]
%5[^:@]:%5[^@]
:%5[^@]
:%5[^@]
Port number too large: %lu
Port number too large: %lu
%s://%s%s%s:%hu%s%s%s
%s://%s%s%s:%hu%s%s%s
;type=%c
;type=%c
[%*45[0123456789abcdefABCDEF:.]%c
[%*45[0123456789abcdefABCDEF:.]%c
Couldn't find host %s in the _netrc file; using defaults
Couldn't find host %s in the _netrc file; using defaults
PTF@example.com
PTF@example.com
Couldn't resolve host '%s'
Couldn't resolve host '%s'
Couldn't resolve proxy '%s'
Couldn't resolve proxy '%s'
User-Agent: %s
User-Agent: %s
malformed
malformed
:]://%[^
:]://%[^
[^:]:%[^
[^:]:%[^
Re-using existing connection! (#%ld) with host %s
Re-using existing connection! (#%ld) with host %s
%s://%s
%s://%s
Connection #%ld to host %s left intact
Connection #%ld to host %s left intact
operation aborted by callback
operation aborted by callback
ioctl callback returned error %d
ioctl callback returned error %d
the ioctl callback returned %d
the ioctl callback returned %d
seek callback returned error %d
seek callback returned error %d
Problem (%d) in the Chunked-Encoded data
Problem (%d) in the Chunked-Encoded data
HTTP server doesn't seem to support byte ranges. Cannot resume.
HTTP server doesn't seem to support byte ranges. Cannot resume.
Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)
Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)
Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld
Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld
Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)
Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)
Rewinding stream by : %zd bytes on url %s (zero-length body)
Rewinding stream by : %zd bytes on url %s (zero-length body)
Operation timed out after %ld milliseconds with %lld bytes received
Operation timed out after %ld milliseconds with %lld bytes received
Operation timed out after %ld milliseconds with %lld out of %lld bytes received
Operation timed out after %ld milliseconds with %lld out of %lld bytes received
No URL set!
No URL set!
[^?&/:]://%c
[^?&/:]://%c
Violate RFC 2616/10.3.2 and switch from POST to GET
Violate RFC 2616/10.3.2 and switch from POST to GET
Violate RFC 2616/10.3.3 and switch from POST to GET
Violate RFC 2616/10.3.3 and switch from POST to GET
Disables POST, goes with %s
Disables POST, goes with %s
Issue another request to this URL: '%s'
Issue another request to this URL: '%s'
unspecified error %d
unspecified error %d
%s cookie %s="%s" for domain %s, path %s, expire %lld
%s cookie %s="%s" for domain %s, path %s, expire %lld
#HttpOnly_
#HttpOnly_
skipped cookie with bad tailmatch domain: %s
skipped cookie with bad tailmatch domain: %s
skipped cookie with illegal dotcount domain: %s
skipped cookie with illegal dotcount domain: %s
httponly
httponly
23[^;
23[^;
=]=I99[^;
=]=I99[^;
%s%s%s
%s%s%s
# Fatal libcurl error
# Fatal libcurl error
# Netscape HTTP Cookie File
# Netscape HTTP Cookie File
# hXXp://curl.haxx.se/docs/http-cookies.html
# hXXp://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
# This file was generated by libcurl! Edit at your own risk.
WARNING: failed to save cookies in %s
WARNING: failed to save cookies in %s
[%s %s %s]
[%s %s %s]
Send failure: %s
Send failure: %s
Recv failure: %s
Recv failure: %s
Failed to set SO_KEEPALIVE on fd %d
Failed to set SO_KEEPALIVE on fd %d
bind failed with errno %d: %s
bind failed with errno %d: %s
Local port: %hu
Local port: %hu
Couldn't bind to '%s'
Couldn't bind to '%s'
Local Interface %s is ip %s using address family %i
Local Interface %s is ip %s using address family %i
getsockname() failed with errno %d: %s
getsockname() failed with errno %d: %s
Bind to local port %hu failed, trying next
Bind to local port %hu failed, trying next
Name '%s' family %i resolved to '%s' family %i
Name '%s' family %i resolved to '%s' family %i
ssloc inet_ntop() failed with errno %d: %s
ssloc inet_ntop() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
getpeername() failed with errno %d: %s
getpeername() failed with errno %d: %s
TCP_NODELAY set
TCP_NODELAY set
Could not set TCP_NODELAY: %s
Could not set TCP_NODELAY: %s
Failed to connect to %s: %s
Failed to connect to %s: %s
Trying %s...
Trying %s...
sa_addr inet_ntop() failed with errno %d: %s
sa_addr inet_ntop() failed with errno %d: %s
Failed connect to %s:%ld; %s
Failed connect to %s:%ld; %s
Unable to parse FTP file list
Unable to parse FTP file list
Error in the SSH layer
Error in the SSH layer
Caller must register CURLOPT_CONV_ callback options
Caller must register CURLOPT_CONV_ callback options
TFTP: No such user
TFTP: No such user
TFTP: Unknown transfer ID
TFTP: Unknown transfer ID
TFTP: Illegal operation
TFTP: Illegal operation
TFTP: Access Violation
TFTP: Access Violation
TFTP: File Not Found
TFTP: File Not Found
Login denied
Login denied
Issuer check against peer certificate failed
Issuer check against peer certificate failed
Invalid LDAP URL
Invalid LDAP URL
Unrecognized or bad HTTP Content or Transfer-Encoding
Unrecognized or bad HTTP Content or Transfer-Encoding
Problem with the SSL CA cert (path? access rights?)
Problem with the SSL CA cert (path? access rights?)
Peer certificate cannot be authenticated with given CA certificates
Peer certificate cannot be authenticated with given CA certificates
Problem with the local SSL certificate
Problem with the local SSL certificate
SSL peer certificate or SSH remote key was not OK
SSL peer certificate or SSH remote key was not OK
An unknown option was passed in to libcurl
An unknown option was passed in to libcurl
A libcurl function was given a bad argument
A libcurl function was given a bad argument
Operation was aborted by an application callback
Operation was aborted by an application callback
FTP: command REST failed
FTP: command REST failed
FTP: command PORT failed
FTP: command PORT failed
HTTP response code said error
HTTP response code said error
FTP: couldn't retrieve (RETR failed) the specified file
FTP: couldn't retrieve (RETR failed) the specified file
FTP: couldn't set file type
FTP: couldn't set file type
FTP: can't figure out the host in the PASV response
FTP: can't figure out the host in the PASV response
FTP: unknown 227 response format
FTP: unknown 227 response format
FTP: unknown PASV reply
FTP: unknown PASV reply
FTP: unknown PASS reply
FTP: unknown PASS reply
FTP: The server did not accept the PRET command.
FTP: The server did not accept the PRET command.
FTP: Accepting server connect has timed out
FTP: Accepting server connect has timed out
FTP: The server failed to connect to data port
FTP: The server failed to connect to data port
FTP: weird server reply
FTP: weird server reply
A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.
A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.
URL using bad/illegal format or missing URL
URL using bad/illegal format or missing URL
Unsupported protocol
Unsupported protocol
Winsock version not supported
Winsock version not supported
Protocol family not supported
Protocol family not supported
Address family not supported
Address family not supported
Operation not supported
Operation not supported
Socket is unsupported
Socket is unsupported
Protocol is unsupported
Protocol is unsupported
Protocol option is unsupported
Protocol option is unsupported
Unknown error %d (%#x)
Unknown error %d (%#x)
Internal error removing splay node = %d
Internal error removing splay node = %d
Internal error clearing splay node = %d
Internal error clearing splay node = %d
%d.%d.%d.%d
%d.%d.%d.%d
%s%s%s%s%s%s
%s%s%s%s%s%s
Session: %s
Session: %s
%s %s RTSP/1.0
%s %s RTSP/1.0
Range: %s
Range: %s
Referer: %s
Referer: %s
Accept-Encoding: %s
Accept-Encoding: %s
Refusing to issue an RTSP SETUP without a Transport: header.
Refusing to issue an RTSP SETUP without a Transport: header.
Transport: %s
Transport: %s
Transport:
Transport:
Refusing to issue an RTSP request [%s] without a session ID.
Refusing to issue an RTSP request [%s] without a session ID.
Got RTSP Session ID Line [%s], but wanted ID [%s]
Got RTSP Session ID Line [%s], but wanted ID [%s]
Unable to read the CSeq header: [%s]
Unable to read the CSeq header: [%s]
SMTP
SMTP
EHLO %s
EHLO %s
HELO %s
HELO %s
No known authentication mechanisms supported!
No known authentication mechanisms supported!
AUTH %s %s
AUTH %s %s
LOGIN
LOGIN
AUTH %s
AUTH %s
Got unexpected smtp-server response: %d
Got unexpected smtp-server response: %d
Remote access denied: %d
Remote access denied: %d
Access denied: %d
Access denied: %d
smtp
smtp
Authentication failed: %d
Authentication failed: %d
MAIL FROM:%s SIZE=%s
MAIL FROM:%s SIZE=%s
MAIL FROM:%s AUTH=%s SIZE=%s
MAIL FROM:%s AUTH=%s SIZE=%s
MAIL FROM:%s AUTH=%s
MAIL FROM:%s AUTH=%s
MAIL FROM:%s
MAIL FROM:%s
RCPT TO:
RCPT TO:
RCPT TO:%s
RCPT TO:%s
MAIL failed: %d
MAIL failed: %d
RCPT failed: %d
RCPT failed: %d
SMTPS not supported!
SMTPS not supported!
STARTTLS denied. %c
STARTTLS denied. %c
USER %s
USER %s
APOP %s %s
APOP %s %s
No known SASL authentication mechanisms supported!
No known SASL authentication mechanisms supported!
No known authentication types supported!
No known authentication types supported!
Access denied. %c
Access denied. %c
PASS %s
PASS %s
%s %s
%s %s
POP3S not supported!
POP3S not supported!
%s LOGIN %s %s
%s LOGIN %s %s
%s STARTTLS
%s STARTTLS
%s SELECT %s
%s SELECT %s
%s FETCH 1 BODY[TEXT]
%s FETCH 1 BODY[TEXT]
%s LOGOUT
%s LOGOUT
IMAPS not supported!
IMAPS not supported!
TFTP
TFTP
set timeouts for state %d; Total %ld, retry %d maxtry %d
set timeouts for state %d; Total %ld, retry %d maxtry %d
invalid tsize -:%s:- value in OACK packet
invalid tsize -:%s:- value in OACK packet
%s (%ld)
%s (%ld)
blksize is smaller than min supported
blksize is smaller than min supported
%s (%d)
%s (%d)
blksize is larger than max supported
blksize is larger than max supported
%s (%d) %s (%d)
%s (%d) %s (%d)
got option=(%s) value=(%s)
got option=(%s) value=(%s)
tftp_rx: internal error
tftp_rx: internal error
Timeout waiting for block %d ACK. Retries = %d
Timeout waiting for block %d ACK. Retries = %d
Received unexpected DATA packet block %d, expecting block %d
Received unexpected DATA packet block %d, expecting block %d
tftp_tx: internal error, event: %i
tftp_tx: internal error, event: %i
tftp_tx: giving up waiting for block %d ack
tftp_tx: giving up waiting for block %d ack
Received ACK for block %d, expecting %d
Received ACK for block %d, expecting %d
bind() failed; %s
bind() failed; %s
tftp_send_first: internal error
tftp_send_first: internal error
%s%c%s%c
%s%c%s%c
TFTP finished
TFTP finished
TFTP response timeout
TFTP response timeout
Can't get the size of %s
Can't get the size of %s
Can't open %s for writing
Can't open %s for writing
Last-Modified: %s, d %s M d:d:d GMT
Last-Modified: %s, d %s M d:d:d GMT
Couldn't open file %s
Couldn't open file %s
There are more than %d entries
There are more than %d entries
LDAP remote: %s
LDAP remote: %s
LDAP local: ldap_simple_bind_s %s
LDAP local: ldap_simple_bind_s %s
LDAP local: Cannot connect to %s:%hu
LDAP local: Cannot connect to %s:%hu
LDAP local: trying to establish %s connection
LDAP local: trying to establish %s connection
LDAP local: %s
LDAP local: %s
LDAP local: LDAP Vendor = %s ; LDAP Version = %d
LDAP local: LDAP Vendor = %s ; LDAP Version = %d
CLIENT libcurl 7.27.0
CLIENT libcurl 7.27.0
MATCH %s %s %s
MATCH %s %s %s
DEFINE %s %s
DEFINE %s %s
insufficient winsock version to support telnet
insufficient winsock version to support telnet
WSAStartup failed (%d)
WSAStartup failed (%d)
%s %d %d
%s %d %d
%s %s %d
%s %s %d
%s %s %s
%s %s %s
%s IAC %d
%s IAC %d
%s IAC %s
%s IAC %s
Sending data failed (%d)
Sending data failed (%d)
%d (unknown)
%d (unknown)
%s (unsupported)
%s (unsupported)
%s IAC SB
%s IAC SB
Unknown telnet option %s
Unknown telnet option %s
Syntax error in telnet option: %s
Syntax error in telnet option: %s
7[^= ]%*[ =]%5s
7[^= ]%*[ =]%5s
USER,%s
USER,%s
%c%c%c%c%s%c%c
%c%c%c%c%s%c%c
%c%s%c%s
%c%s%c%s
7[^,],7s
7[^,],7s
%c%c%c%c
%c%c%c%c
FreeLibrary(wsock2) failed (%d)
FreeLibrary(wsock2) failed (%d)
WSACloseEvent failed (%d)
WSACloseEvent failed (%d)
WSAEnumNetworkEvents failed (%d)
WSAEnumNetworkEvents failed (%d)
WSACreateEvent failed (%d)
WSACreateEvent failed (%d)
failed to find WSAEnumNetworkEvents function (%d)
failed to find WSAEnumNetworkEvents function (%d)
failed to find WSAEventSelect function (%d)
failed to find WSAEventSelect function (%d)
failed to find WSACloseEvent function (%d)
failed to find WSACloseEvent function (%d)
failed to find WSACreateEvent function (%d)
failed to find WSACreateEvent function (%d)
failed to load WS2_32.DLL (%d)
failed to load WS2_32.DLL (%d)
WS2_32.DLL
WS2_32.DLL
PORT
PORT
FTP response aborted due to select/poll error: %d
FTP response aborted due to select/poll error: %d
FTP response timeout
FTP response timeout
Failure sending PORT command: %s
Failure sending PORT command: %s
,%d,%d
,%d,%d
Failure sending EPRT command: %s
Failure sending EPRT command: %s
%s |%d|%s|%hu|
%s |%d|%s|%hu|
bind() failed, we ran out of ports!
bind() failed, we ran out of ports!
bind(port=%hu) failed: %s
bind(port=%hu) failed: %s
bind(port=%hu) on non-local address failed: %s
bind(port=%hu) on non-local address failed: %s
socket failure: %s
socket failure: %s
failed to resolve the address provided to PORT: %s
failed to resolve the address provided to PORT: %s
getsockname() failed: %s
getsockname() failed: %s
Connect data stream passively
Connect data stream passively
PRET RETR %s
PRET RETR %s
PRET STOR %s
PRET STOR %s
PRET %s
PRET %s
REST %d
REST %d
SIZE %s
SIZE %s
STOR %s
STOR %s
APPE %s
APPE %s
Failed to do PORT
Failed to do PORT
Got a d response code instead of the assumed 200
Got a d response code instead of the assumed 200
RETR %s
RETR %s
ftp server doesn't support SIZE
ftp server doesn't support SIZE
PBSZ %d
PBSZ %d
Access denied: d
Access denied: d
ACCT %s
ACCT %s
ACCT rejected by server: d
ACCT rejected by server: d
TYPE %c
TYPE %c
Connecting to %s (%s) port %d
Connecting to %s (%s) port %d
Failure sending QUIT command: %s
Failure sending QUIT command: %s
Uploading to a URL without a file name!
Uploading to a URL without a file name!
FTPS not supported!
FTPS not supported!
Preparing for accepting server on data port
Preparing for accepting server on data port
MDTM %s
MDTM %s
Bad PASV/EPSV response: d
Bad PASV/EPSV response: d
Can't resolve new host %s:%hu
Can't resolve new host %s:%hu
Can't resolve proxy host %s:%hu
Can't resolve proxy host %s:%hu
Skips %d.%d.%d.%d for data connection, uses %s instead
Skips %d.%d.%d.%d for data connection, uses %s instead
%d,%d,%d,%d,%d,%d
%d,%d,%d,%d,%d,%d
%c%c%c%u%c
%c%c%c%u%c
ddd d:d:d GMT
ddd d:d:d GMT
dddddd
dddddd
unsupported MDTM reply format
unsupported MDTM reply format
Failed FTP upload:
Failed FTP upload:
RETR response: d
RETR response: d
QUOT string not accepted: %s
QUOT string not accepted: %s
Wildcard - "%s" skipped by user
Wildcard - "%s" skipped by user
Wildcard - START of "%s"
Wildcard - START of "%s"
CWD %s
CWD %s
PRET command not accepted: d
PRET command not accepted: d
Failed to MKD dir: d
Failed to MKD dir: d
MKD %s
MKD %s
QUOT command failed with d
QUOT command failed with d
Entry path is '%s'
Entry path is '%s'
PROT %c
PROT %c
unsupported parameter to CURLOPT_FTPSSLAUTH: %d
unsupported parameter to CURLOPT_FTPSSLAUTH: %d
Got a d ftp-server response when 220 was expected
Got a d ftp-server response when 220 was expected
server did not report OK, got %d
server did not report OK, got %d
Failure sending ABOR command: %s
Failure sending ABOR command: %s
Remembering we are in dir "%s"
Remembering we are in dir "%s"
%sAuthorization: Basic %s
%sAuthorization: Basic %s
%s:%s
%s:%s
%s auth using %s with user '%s'
%s auth using %s with user '%s'
HTTP/
HTTP/
Avoided giant realloc for header (max is %d)!
Avoided giant realloc for header (max is %d)!
The requested URL returned error: %d
The requested URL returned error: %d
The requested URL returned error: %s
The requested URL returned error: %s
If-Unmodified-Since: %s
If-Unmodified-Since: %s
Last-Modified: %s
Last-Modified: %s
If-Modified-Since: %s
If-Modified-Since: %s
%s, d %s M d:d:d GMT
%s, d %s M d:d:d GMT
Failed sending HTTP POST request
Failed sending HTTP POST request
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Internal HTTP POST error!
Internal HTTP POST error!
Failed sending HTTP request
Failed sending HTTP request
%s%s=%s
%s%s=%s
%s HTTP/%s
%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s
PTF://%s:%s@%s
PTF://%s:%s@%s
Content-Range: bytes %s/%lld
Content-Range: bytes %s/%lld
Content-Range: bytes %s%lld/%lld
Content-Range: bytes %s%lld/%lld
Range: bytes=%s
Range: bytes=%s
PTF://
PTF://
Host: %s%s%s:%hu
Host: %s%s%s:%hu
Host: %s%s%s
Host: %s%s%s
Chunky upload is not supported by HTTP 1.0
Chunky upload is not supported by HTTP 1.0
HTTP error before end of send, stop sending
HTTP error before end of send, stop sending
HTTP/1.0 connection set to keep alive!
HTTP/1.0 connection set to keep alive!
HTTP/1.1 proxy connection set close!
HTTP/1.1 proxy connection set close!
HTTP/1.0 proxy connection set to keep alive!
HTTP/1.0 proxy connection set to keep alive!
HTTP 1.0, assume close after body
HTTP 1.0, assume close after body
RTSP/%d.%d =
RTSP/%d.%d =
HTTP =
HTTP =
HTTP/%d.%d =
HTTP/%d.%d =
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
SOCKS4%s request granted.
SOCKS4%s request granted.
Failed to resolve "%s" for SOCKS4 connect.
Failed to resolve "%s" for SOCKS4 connect.
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
SOCKS5 GSSAPI per-message authentication is not supported.
SOCKS5 GSSAPI per-message authentication is not supported.
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Failed to resolve "%s" for SOCKS5 connect.
Failed to resolve "%s" for SOCKS5 connect.
User was rejected by the SOCKS5 server (%d %d).
User was rejected by the SOCKS5 server (%d %d).
--:--:--
--:--:--
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s
Received HTTP code %d from proxy after CONNECT
Received HTTP code %d from proxy after CONNECT
TUNNEL_STATE switched to: %d
TUNNEL_STATE switched to: %d
HTTP/1.%d %d
HTTP/1.%d %d
CONNECT %s HTTP/%s
CONNECT %s HTTP/%s
%s%s%s%s
%s%s%s%s
Host: %s
Host: %s
%s%s%s:%hu
%s%s%s:%hu
%s:%hu
%s:%hu
Establish HTTP proxy tunnel to %s:%hu
Establish HTTP proxy tunnel to %s:%hu
password
password
login
login
Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds
Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds
%s, algorithm="%s"
%s, algorithm="%s"
%s, opaque="%s"
%s, opaque="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop=%s, response="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop=%s, response="%s"
%s:%s:x:%s:%s:%s
%s:%s:x:%s:%s:%s
%s:%.*s
%s:%.*s
%s:%s:%s
%s:%s:%s
d:d
d:d
d:d:d
d:d:d
%s xxxxxxxxxxxxxxxx
%s xxxxxxxxxxxxxxxx
12345678
12345678
00000001
00000001
%c%c==
%c%c==
%c%c%c=
%c%c%c=
0123456789-
0123456789-
.jpeg
.jpeg
.html
.html
--%s--
--%s--
couldn't open file "%s"
couldn't open file "%s"
Content-Type: %s
Content-Type: %s
; filename="%s"
; filename="%s"
Content-Disposition: attachment; filename="%s"
Content-Disposition: attachment; filename="%s"
Content-Type: multipart/mixed, boundary=%s
Content-Type: multipart/mixed, boundary=%s
%s; boundary=%s
%s; boundary=%s
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
?456789:;
?456789:;
C:\Work\cpp\nsis_plugins\Extra\ReleaseUnicode\extra.pdb
C:\Work\cpp\nsis_plugins\Extra\ReleaseUnicode\extra.pdb
zcÃ
zcÃ
.?AVHttpGetFileStream@@
.?AVHttpGetFileStream@@
.?AVHttpGetFile@@
.?AVHttpGetFile@@
.?AVHttpRequestResult@@
.?AVHttpRequestResult@@
c:\%original file name%.exe
c:\%original file name%.exe
PeekNamedPipe
PeekNamedPipe
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
ShellExecuteW
ShellExecuteW
.LBM'
.LBM'
]
]
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
yKERNEL32.DLL
yKERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
%original file name%.exe_348_rwx_10001000_00007000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
0x%c%c%c%c
0x%c%c%c%c
vknasetup.exe_1632:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
RegDeleteKeyExW
RegDeleteKeyExW
Kernel32.DLL
Kernel32.DLL
PSAPI.DLL
PSAPI.DLL
%s=%s
%s=%s
GetWindowsDirectoryW
GetWindowsDirectoryW
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
GetAsyncKeyState
GetAsyncKeyState
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationW
SHFileOperationW
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
RegDeleteKeyW
RegDeleteKeyW
RegCloseKey
RegCloseKey
RegEnumKeyW
RegEnumKeyW
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
g.Qjz_
g.Qjz_
7PÂ)
7PÂ)
sssH&
sssH&
%x't_
%x't_
Nullsoft Install System v2.46.5-Unicode
Nullsoft Install System v2.46.5-Unicode
logging set to %d
logging set to %d
settings logging to %d
settings logging to %d
created uninstaller: %d, "%s"
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: success ("%s")
Exec: command="%s"
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exch: stack
Exch: stack
RMDir: "%s"
RMDir: "%s"
MessageBox: %d,"%s"
MessageBox: %d,"%s"
Delete: "%s"
Delete: "%s"
File: wrote %d to "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename failed: %s
Rename on reboot: %s
Rename on reboot: %s
Rename: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
SetFileAttributes: "%s":X
Sleep(%d)
Sleep(%d)
detailprint: %s
detailprint: %s
Call: %d
Call: %d
Aborting: "%s"
Aborting: "%s"
Jump: %d
Jump: %d
verifying installer: %d%%
verifying installer: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
install.log
install.log
%u.%u%s%s
%u.%u%s%s
Skipping section: "%s"
Skipping section: "%s"
Section: "%s"
Section: "%s"
New install of "%s" to "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
*?|/":
*?|/":
invalid registry key
invalid registry key
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
x%c
x%c
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
%s: failed opening file "%s"
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa4.tmp\nsDialogs.dll
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa4.tmp\nsDialogs.dll
1.0.001.271036e719"
1.0.001.271036e719"
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa4.tmp\nsDialogs.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa4.tmp\nsDialogs.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa4.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa4.tmp
nsa4.tmp
nsa4.tmp
File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa4.tmp\nsDialogs.dll" (overwriteflag=1)
File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa4.tmp\nsDialogs.dll" (overwriteflag=1)
p\nsDialogs.dll"
p\nsDialogs.dll"
1048834
1048834
1.0.001.271036e719
1.0.001.271036e719
knasetup.exe" -x vknotesetup -r "tc266.cwer1.0.001.271036e719"
knasetup.exe" -x vknotesetup -r "tc266.cwer1.0.001.271036e719"
66.cwer1.0.001.271036e719"
66.cwer1.0.001.271036e719"
2070664
2070664
1-1801674531
1-1801674531
Windows
Windows
113995698
113995698
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\vknasetup.exe" -x vknotesetup -r "tc266.cwer1.0.001.271036e719"
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\vknasetup.exe" -x vknotesetup -r "tc266.cwer1.0.001.271036e719"
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
vknasetup.exe
vknasetup.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu3.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\vknasetup.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\vknasetup.exe
470418122
470418122
1048858
1048858
1179940
1179940
XP.SP3
XP.SP3
tc266.cwer1.0.001.271036e719
tc266.cwer1.0.001.271036e719
990184127
990184127
537526983
537526983
604635844
604635844