Trojan.Win32.Bumat_d24a957619

by malwarelabrobot on September 17th, 2017 in Malware Descriptions.

Trojan.Win32.Bumat.FD, Trojan.Win32.Sasfis.FD, GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: d24a957619a3542301ef903bab54f1cf
SHA1: ad98af7941e491303c95dc60e1cca2758a87be92
SHA256: 092cddab1c8a7d5f5e3a06fca3ab390e6c1e94a1b4d502992bbc999bf1c4f6cc
SSDeep: 98304:kaidCzJyjPhvgzYMOxo6CXp 4Jnhd2LAk5dtro0NBhs5xS7zkcUlnkTFdeCp fWa:12CFyjMOxolLnhdHkqa7sLSvUQFC5
Size: 7136257 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 2015-11-08 18:36:23
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

UltraISO.exe:3304
%original file name%.exe:2624

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process UltraISO.exe:3304 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Data\UltraISO Premium\local\temp\ce8_0x00400000.tls (5 bytes)

The process %original file name%.exe:2624 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 (1480 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77 (1504 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\024823B39FBEACCDB5C06426A8168E99_4EB65D2EF896F9A30A10A7F798B64304 (472 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77 (727 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 (471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar6DE0.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\001836CEC9B3850D003670B9D75C6973 (416 bytes)
C:\Data\UltraISO Premium\xsandbox.bin.__tmp__ (24 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\024823B39FBEACCDB5C06426A8168E99_4EB65D2EF896F9A30A10A7F798B64304 (696 bytes)
C:\Data\UltraISO Premium\local\stubexe\0xFC42E76D3189D234\UltraISO.exe.__tmp__ (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\001836CEC9B3850D003670B9D75C6973 (526 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab6DDF.tmp (51 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar6DE0.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab6DDF.tmp (0 bytes)

Registry activity

The process %original file name%.exe:2624 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Spoon\SandboxCache\58FC64123BC3E3B9\roaming\modified\@HKCR@\Directory]
"EditFlags" = "D2 01 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\d24a957619a3542301ef903bab54f1cf_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\d24a957619a3542301ef903bab54f1cf_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Spoon\SandboxCache\58FC64123BC3E3B9\roaming\modified\@HKCR@\Directory]
"PreviewDetails" = "prop:System.DateModified;*System.SharedWith;*System.OfflineAvailability;*System.OfflineStatus"

[HKLM\SOFTWARE\Microsoft\Tracing\d24a957619a3542301ef903bab54f1cf_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\d24a957619a3542301ef903bab54f1cf_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\d24a957619a3542301ef903bab54f1cf_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\d24a957619a3542301ef903bab54f1cf_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\d24a957619a3542301ef903bab54f1cf_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Spoon\SandboxCache\58FC64123BC3E3B9\roaming\modified\@HKCR@\Directory]
"InfoTip" = "prop:System.Comment;System.DateCreated"
"FriendlyTypeName" = "@shell32.dll,-10152"

[HKLM\SOFTWARE\Microsoft\Tracing\d24a957619a3542301ef903bab54f1cf_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Spoon\SandboxCache\58FC64123BC3E3B9\roaming\modified\@HKCR@\Directory]
"AlwaysShowExt" = ""

[HKLM\SOFTWARE\Microsoft\Tracing\d24a957619a3542301ef903bab54f1cf_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Spoon\SandboxCache\58FC64123BC3E3B9\roaming\modified\@HKCR@\Directory]
"NoRecentDocs" = ""
"PreviewTitle" = "prop:System.ItemNameDisplay;System.ItemTypeText"

[HKLM\SOFTWARE\Microsoft\Tracing\d24a957619a3542301ef903bab54f1cf_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Spoon\SandboxCache\58FC64123BC3E3B9\roaming\modified\@HKCR@\Directory]
"(Default)" = "File Folder"

[HKLM\SOFTWARE\Microsoft\Tracing\d24a957619a3542301ef903bab54f1cf_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Spoon\SandboxCache\58FC64123BC3E3B9\roaming\modified\@HKCR@\Directory]
"FullDetails" = "prop:System.PropGroup.Description;System.DateCreated;System.FileCount;System.TotalFileSize"

[HKLM\SOFTWARE\Microsoft\Tracing\d24a957619a3542301ef903bab54f1cf_RASMANCS]
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Spoon\SandboxCache\58FC64123BC3E3B9\roaming\modified\@HKCU@\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Spoon\SandboxCache\58FC64123BC3E3B9\roaming\modified\@HKCU@\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Spoon\SandboxCache\58FC64123BC3E3B9\roaming\modified\@HKCU@\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
ffad6c8daa5ea6df5e635abe317a3199 c:\Data\UltraISO Premium\local\stubexe\0xFC42E76D3189D234\UltraISO.exe
1201eed2c115a75b639f20da6788feb6 c:\Data\UltraISO Premium\local\temp\ce8_0x00400000.tls

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: fcportables.com
Product Name: UltraISO Premium
Product Version: V9.65
Legal Copyright: Copyright (c) EZB Systems, Inc.
Legal Trademarks: EZB(R)
Original Filename: ultraiso.exe
Internal Name: UltraISO
File Version: 9.6.5.3237
File Description: UltraISO Premium
Comments: http://www.ezbsystems.com
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 17320 17408 4.42555 c0431a3e7e4c5d938b6a3800df8d2ff2
.data 24576 1096 0 0 d41d8cd98f00b204e9800998ecf8427e
.xcpad 28672 9441280 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 9469952 848 1024 2.9241 071177cf0cad6d04f8f8fc436cc18e12
.reloc 9474048 572 1024 3.0288 fea30a75759e13842a90a411aa1eafe4
.rsrc 9478144 19343 19456 3.88798 dad32af17415ce1ac9299a95b5cfeac4

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI= 178.255.83.1
hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCEDaCXn+1pIGTfvbRc2u5PKY= 178.255.83.1
hxxp://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQLqIKj6Gi5thHaqKC1ECU9aXsCRQQUmvMr2s+tT7YvuypISCoStxtCwSQCEQCa2/3gnkWuKlpISjjXKp/C 178.255.83.1
hxxp://crl.comodoca.com.cdn.cloudflare.net/COMODORSAOrganizationValidationSecureServerCA.crl 104.16.91.188
hxxp://gpla1.wac.v2cdn.net/CRL/Omniroot2025.crl
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=
hxxp://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCEDaCXn+1pIGTfvbRc2u5PKY= 178.255.83.1
hxxp://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQLqIKj6Gi5thHaqKC1ECU9aXsCRQQUmvMr2s+tT7YvuypISCoStxtCwSQCEQCa2/3gnkWuKlpISjjXKp/C 178.255.83.1
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= 23.46.123.27
hxxp://crl.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crl 104.16.91.188
hxxp://cdp1.public-trust.com/CRL/Omniroot2025.crl 93.184.220.20
start.spoon.net 4.53.147.198


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /CRL/Omniroot2025.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 16 Nov 2013 06:15:02 GMT
If-None-Match: "200da-5b6-4eb453c33260e"
User-Agent: Microsoft-CryptoAPI/6.1
Host: cdp1.public-trust.com


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/x-pkcs7-crl
Date: Sat, 16 Sep 2017 14:21:52 GMT
Etag: "200da-f62-559055fde8365"
Last-Modified: Tue, 12 Sep 2017 22:15:01 GMT
Server: ECS (vie/F3BF)
X-Cache: HIT
Content-Length: 3938
0..^0..F...0...*.H........0Z1.0...U....IE1.0...U....Baltimore1.0...U..
..CyberTrust1"0 ..U....Baltimore CyberTrust Root..170912221253Z..17120
8221253Z0...0....'k...120111220757Z0....'k...120111220847Z0....'.C..13
0130174530Z0....'....130807173059Z0....'....140122185220Z0....'....140
212185542Z0....'yr..150701184507Z0....'#...100303201301Z0....''q..1004
14175202Z0....'L...110224181251Z0....'Pn..110309142119Z0....'....10021
6203312Z0....'#...100303201213Z0....'3#..100908172555Z0....''n..101208
175627Z0....''m..101208175749Z0....''p..101208175916Z0....'H...1101141
62156Z0#...'X>..110815145134Z0.0...U.......0#...'Z2..110818184101Z0
.0...U.......0....'g...120111164333Z0....'g...120111164409Z0....'g...1
20111164519Z0....'....100216213519Z0....''s..100414175225Z0....''k..10
0414181839Z0....'3"..100908172705Z0....'3$..100908172728Z0....''o..101
208175645Z0....''l..101208175727Z0....'H...110119195142Z0....'Nz..1103
02154045Z0....'c...111207220933Z0....'g...120111164445Z0....''r..10041
4175143Z0....'8...101012182723Z0....'e...120111163041Z0....'VJ..110714
160903Z0....'s...130123162633Z0....'....130904190524Z0....'....1310242
14319Z0....'....140129172435Z0....'....140129172453Z0....'....13102421
4310Z0....'....131101204601Z0....'....140219171632Z0....'.^..140409155
638Z0....'i...140709171930Z0....'/:..141119193302Z0....'J...1506031846
05Z0....'k...150603185020Z0....'k...150603185058Z0....'k...15060318513
1Z0....'k...120111220827Z0....'8...140716191203Z0....'....131219195909
Z0....'....140219171545Z0....'k...151105070000Z0....'q...160126173
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= HTTP/1.1
Cache-Control: max-age = 547348
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 19 Nov 2013 21:12:41 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.10.2
Content-Type: application/ocsp-response
Content-Length: 1664
content-transfer-encoding: binary
Cache-Control: max-age=515163, public, no-transform, must-revalidate
Last-Modified: Fri, 15 Sep 2017 13:26:26 GMT
Expires: Fri, 22 Sep 2017 13:26:26 GMT
Date: Sat, 16 Sep 2017 14:21:57 GMT
Connection: keep-alive
0..|......u0..q.. .....0.....b0..^0.............V.m......E!....2017091
5132626Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
....^.3@..cL.1.......20170915132626Z....20170922132626Z0...*.H........
.....^......a.....vA.Ft....&......T.,.>.<Q......E.u..{.3...9..A.
I...Z..



GET /COMODORSAOrganizationValidationSecureServerCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.comodoca.com


HTTP/1.1 200 OK
Date: Sat, 16 Sep 2017 14:21:19 GMT
Content-Type: application/x-pkcs7-crl
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d44d7d3b0aa1879becbae40fe79d189ea1505571679; expires=Sun, 16-Sep-18 14:21:19 GMT; path=/; domain=.comodoca.com; HttpOnly
Last-Modified: Fri, 15 Sep 2017 23:12:07 GMT
ETag: W/"59bc5e47-4fdc3"
X-CCACDN-Mirror-ID: rmdccacrl4
Cache-Control: public, max-age=3600
CF-Cache-Status: HIT
Expires: Sat, 16 Sep 2017 15:21:19 GMT
Server: cloudflare-nginx
CF-RAY: 39f478b7b32c841e-KBP
5c8d..0....0.......0...*.H........0..1.0...U....GB1.0...U....Greater M
anchester1.0...U....Salford1.0...U....COMODO CA Limited1<0:..U...3C
OMODO RSA Organization Validation Secure Server CA..170915231207Z..170
919231207Z0....0"....:#|..........Y...140425084449Z0".......}.L.......
}...140509190044Z0!......8.....d74i....140514112248Z0!..m...........-?
....140515020540Z0"......@.S...|..p.....140515022340Z0!..1...r....F-9c
'....140520162718Z0"....H,.....o<..]x....140523140907Z0!...N...Uu].
i.AU.....140523192214Z0!..&.B.%./......9.D..140523192238Z0!..N[...y...
.NT/;....140525201819Z0".....z.>zzmj 7.4.....140526010312Z0!..woM!.
h4........I..140529155822Z0"......?........9.W...140612122212Z0!..@.f.
9.eY......{...140707154342Z0"....W.....($.o.vo#...140714180200Z0"....C
...g.t.l..R.@...140716140006Z0"..........^q.%...X...140722193531Z0"...
....I...=."F..o...140806153419Z0!..s..oB.....?.......140814184214Z0"..
.....i.,W...q7.^...140815155116Z0!..e.S.. .%.<..`../..140821140803Z
0".............r...Q...140821152812Z0!..t.q..Jd.....A5....140821164203
Z0"....*1>...N.O.G(.....140821164314Z0"....}s.;...A...o.Z...1408211
64408Z0!..C. %S..;..Y.......140821164514Z0!...o..F.......v.4...1408211
64526Z0!.........}GS;.......140821164532Z0".....B...4....W..]...140821
164631Z0!..../.^0)m....p.....140821164649Z0!..i.T.i.....~..r....140821
164753Z0!...2.....|..T.v..Q..140828195429Z0".......Dm..../....B..14090
8114204Z0!.. H'.7y...;..;..q..140910193914Z0!..>...0o..q...,.....14
0910194020Z0"....\%..->..*........140911180017Z0!..h. .y......K
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCEDaCXn+1pIGTfvbRc2u5PKY= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.comodoca.com


HTTP/1.1 200 OK
Date: Sat, 16 Sep 2017 14:21:10 GMT
Server: Apache
Last-Modified: Fri, 15 Sep 2017 09:19:01 GMT
Expires: Fri, 22 Sep 2017 09:19:01 GMT
ETag: 2CE7539C6119BC688525F63038887385F83F468F
Cache-Control: max-age=499670,public,no-transform,must-revalidate
X-OCSP-Reponder-ID: rmdccaocsp12
Content-Length: 727
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0........~.=...<....8...22...2017
0915091901Z0s0q0I0... ........^..hl\.....W....r.=.....~.=...<....8.
..22...6.^.....~..sk.<.....20170915091901Z....20170922091901Z0...*.
H.............~....}......t..D.8.$~.#...r..(.f.S.........]....S|u.....
........L.k..e...).:....'.@.....w......f2"V%^g.........t}>!._.c....
...........AW..Y9..!...5;...n...-j.I8:p..0........6.!?...Xo.N......'.o
1v7.._l?...D_.w...5...).A.....F;....J.Xv..:c....&.Rc.Yt......c.._}.I.%
#7......`#..f?a..........}.......u...H$...KX.(../z.....n..E.x.,c....-.
A...r.1...M. ...~..M>H..9.....4.J.hBa7..(c.].s.j..k.....^s..<...
){.w$.o...._WQ...=...=.S{B....u...&...>...=.8-.d...a.*..Y........y.
w.z.9.{..d...G._...R...*.W.x.............HM3.y(...



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.usertrust.com


HTTP/1.1 200 OK
Date: Sat, 16 Sep 2017 14:21:04 GMT
Server: Apache
Last-Modified: Fri, 15 Sep 2017 09:19:01 GMT
Expires: Fri, 22 Sep 2017 09:19:01 GMT
ETag: 70504BFFA41F1B64FDF37923C72956A8A6989DD0
Cache-Control: max-age=499676,public,no-transform,must-revalidate
X-OCSP-Reponder-ID: rmdccaocsp12
Content-Length: 471
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0.........z4.&...&T....$.T...2017091
5091901Z0s0q0I0... ........|.fT...D.b&...e{.z.......z4.&...&T....$.T..
.'f.V.I....p...."....20170915091901Z....20170922091901Z0...*.H........
..........wq_...{0...c.}..M?.3..P)Gg..lOK.T.^.....0k.f...../.. ..:....
....fTL....-7.KH.d}.1.c.u....<.f..."Y.i`....bw....0...X .6...,..._$
(xuL.\;y....1.y...R....L.[LA"..~..R|V.....A.B^_...q..N..#.=.j}On'm...'
..V.\.. .C......>$.&.Os18?:.7b... ..u....m..D.y......\..



GET /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQLqIKj6Gi5thHaqKC1ECU9aXsCRQQUmvMr2s+tT7YvuypISCoStxtCwSQCEQCa2/3gnkWuKlpISjjXKp/C HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.comodoca.com


HTTP/1.1 200 OK
Date: Sat, 16 Sep 2017 14:21:15 GMT
Server: Apache
Last-Modified: Thu, 14 Sep 2017 10:36:57 GMT
Expires: Thu, 21 Sep 2017 10:36:57 GMT
ETag: 6310D560CA84392D9DDFF47EEED566430C65B0C5
Cache-Control: max-age=417941,public,no-transform,must-revalidate
X-OCSP-Reponder-ID: rmdccaocsp12
Content-Length: 472
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0........ ...O./.*HH*...B.$..2017091
4103657Z0t0r0J0... .............h........$=i{.E.... ...O./.*HH*...B.$.
.......E.*ZHJ8.*......20170914103657Z....20170921103657Z0...*.H.......
......Pe.i................`....@.5N....\cP.0I.FR.....E..Y-...a....Z4."
..N....Fc..g.cM.).. e.Y:..~...Y2......d^.....p.^.....AL...i!'@...Y Rgq
.\.J...<.R..(}.o. a..@.........0.......s...`..J.....<......@.3..
..Y....~.n...(.L.......B~>.,..C..>.......E.*.1........tx.y..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2624_rwx_001D0000_00001000:

.IWwj

%original file name%.exe_2624_rwx_00EE0000_001C8000:

.text
`.data
.reloc
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
Visual C   CRT: Not enough memory to complete call to strerror.
Operation not permitted
Inappropriate I/O control operation
Broken pipe
GetProcessWindowStation
operator
\x86\VmX.dll
publicKeyToken=
<?xml version="1.0" encoding="utf-8"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly>
%s_%s@%s
VmApi.proto
c:\bamboo-home\xml-data\build-dir\spoonvm-vm-job1\vm\vm\VmApi.pb.cc
Spoon.Vm"c
RuntimePortMapping
original_port
mapped_port
RuntimePortMappings
port_mappings
.Spoon.Vm.RuntimePortMapping"G
.Spoon.Vm.RuntimeObjectMapping"
.Spoon.Vm.RuntimePortMapping
.Spoon.Vm.RuntimeObjectMapping"?
.Spoon.Vm.SandboxProcessInfo"8
.Spoon.Vm.RuntimeNetworkHost
\windowclassexception.txt
inflate 1.2.3 Copyright 1995-2005 Mark Adler
1.2.3
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
Start of stream log for process with command line: %s, current pid: 0x%X
%s %I64d
d/d/%d d:d:d
Microsoft Windows NT %d.%d.%d
{"timestamp":"%s","process":"%s","pid":%d,"platform":"%s","cpu":"%s","message":"%s"}
NtCreateNamedPipeFile
NtAlpcCreatePort
NtCreatePort
NtAlpcConnectPort
NtSecureConnectPort
Microsoft Windows Network
HttpAddUrl
HttpRemoveUrl
HttpAddUrlToUrlGroup
HttpRemoveUrlFromUrlGroup
HttpTerminate
HttpReceiveHttpRequest
HttpSendHttpResponse
HttpSendResponseEntityBody
ShellExecuteExA
ShellExecuteExW
ShellExecuteA
ShellExecuteW
NtCompactKeys
NtCompressKey
NtCreateKey
NtDeleteKey
NtDeleteValueKey
NtEnumerateKey
NtEnumerateValueKey
NtFlushKey
NtLoadKey
NtLoadKey2
NtLoadKeyEx
NtLockRegistryKey
NtNotifyChangeKey
NtNotifyChangeMultipleKeys
NtOpenKey
NtOpenKeyEx
NtQueryKey
NtQueryMultipleValueKey
NtQueryOpenSubKeys
NtQueryOpenSubKeysEx
NtQueryValueKey
NtRenameKey
NtReplaceKey
NtRestoreKey
NtSaveKey
NtSaveKeyEx
NtSaveMergedKeys
NtSetInformationKey
NtSetValueKey
NtUnloadKey
NtUnloadKey2
NtUnloadKeyEx
GetServiceKeyNameA
GetServiceKeyNameW
kernel32.dll
ieframe.dll
msi.dll
kernelbase.dll
advapi32.dll
LogonUserExExW
CreateNamedPipeW
HttpCreateRequestQueue
HttpSetServerSessionProperty
HttpSetUrlGroupProperty
msvcr110.dll
.xtlsmal
%x_%p.tls
_CorExeMain
rpcrt4
SetWindowsHookExW
EnumWindows
RemoveWindowSubclass
SetWindowSubclass
SetWindowsHookExA
..\src\google\protobuf\message_lite.cc
CHECK failed: !coded_out.HadError():
%d.%d.%d
[libprotobuf %s %s:%d] %s
..\src\google\protobuf\message.cc
CHECK failed: (from.GetDescriptor()) == (descriptor):
: Tried to copy from a message with a different type.to:
..\src\google\protobuf\io\coded_stream.cc
..\src\google\protobuf\descriptor.cc
$0$1 $2 $3 = $4
$0$1 = $2
". To use it here, please add the necessary import.
", which is not imported by "
.placeholder.proto
.PLACEHOLDER_VALUE
.dummy
File recursively imports itself:
Missing field: FileDescriptorProto.name.
Import "
FieldDescriptorProto.extendee not set for extension field.
FieldDescriptorProto.extendee set for non-extension field.
Files that do not use optimize_for = LITE_RUNTIME cannot import files which do use this option. This file is not lite, but it imports "
map_key must not name a repeated field.
map key must name a scalar or string field.
" is repeated. Repeated options are not supported.
CHECK failed: !out.HadError():
.foo = value".
CHECK failed: dynamic.get() != NULL:
..\src\google\protobuf\generated_message_reflection.cc
CHECK failed: (field->options().ctype()) == (ctype):
..\src\google\protobuf\wire_format.cc
..\src\google\protobuf\wire_format_lite.cc
CHECK failed: value.size() <= kint32max:
..\src\google\protobuf\reflection_ops.cc
..\src\google\protobuf\io\zero_copy_stream_impl_lite.cc
CHECK failed: backup_bytes_ == 0 && buffer_.get() != NULL:
..\src\google\protobuf\stubs\strutil.cc
..\src\google\protobuf\io\zero_copy_stream_impl.cc
google/protobuf/descriptor.proto
..\src\google\protobuf\descriptor.pb.cc
google/protobuf/descriptor.proto
google.protobuf"G
2$.google.protobuf.FileDescriptorProto"
2 .google.protobuf.DescriptorProto
2$.google.protobuf.EnumDescriptorProto
2'.google.protobuf.ServiceDescriptorProto
2%.google.protobuf.FieldDescriptorProto
.google.protobuf.FileOptions
.google.protobuf.SourceCodeInfo"
2/.google.protobuf.DescriptorProto.ExtensionRange
.google.protobuf.MessageOptions
2 .google.protobuf.FieldDescriptorProto.Label
2*.google.protobuf.FieldDescriptorProto.Type
.google.protobuf.FieldOptions"
2).google.protobuf.EnumValueDescriptorProto
.google.protobuf.EnumOptions"l
2!.google.protobuf.EnumValueOptions"
2&.google.protobuf.MethodDescriptorProto
.google.protobuf.ServiceOptions"
.google.protobuf.MethodOptions"
2).google.protobuf.FileOptions.OptimizeMode:
2$.google.protobuf.UninterpretedOption":
2$.google.protobuf.UninterpretedOption*
2#.google.protobuf.FieldOptions.CType:
experimental_map_key
2$.google.protobuf.UninterpretedOption"/
2-.google.protobuf.UninterpretedOption.NamePart
2(.google.protobuf.SourceCodeInfo.Location
com.google.protobufB
Invalid file descriptor data passed to EncodedDescriptorDatabase::Add().
..\src\google\protobuf\descriptor_database.cc
..\src\google\protobuf\dynamic_message.cc
..\src\google\protobuf\stubs\substitute.cc
..\src\google\protobuf\text_format.cc
..\src\google\protobuf\io\tokenizer.cc
Tokenizer::ParseFloat() passed text that could not have been tokenized as a float:
Tokenizer::ParseInteger() passed text that could not have been tokenized as an integer:
\Ux
Tokenizer::ParseStringAppend() passed text that could not have been tokenized as a string:
..\src\google\protobuf\extension_set_heavy.cc
..\src\google\protobuf\extension_set.cc
CHECK failed: iter != extensions_.end():
C:\bamboo-home\xml-data\build-dir\SPOONVM-VM-JOB1\vm\Build\Output\x86\Vm.pdb
j.Yf;
_tcPVj@
.PjRW
uùQ
PSSSSSSh
HHt.Whp
8.uQj
8.uNj
CallNamedPipeW
WaitNamedPipeW
GetConsoleOutputCP
GetSystemWindowsDirectoryW
KERNEL32.dll
GetCPInfo
GetProcessHeap
Vm.dll
zcÁ
.rsrc
@.reloc
C:\bamboo-home\xml-data\build-dir\SPOONVM-VM-JOB1\vm\Build\Output\x86\StubExe.pdb
<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
7 7$7(7,7074787<7
.pdata
@.rsrc
C:\bamboo-home\xml-data\build-dir\SPOONVM-VM-JOB1\vm\Build\Output\x64\StubExe.pdb
.?AVRuntimePortMappings@Vm@Spoon@@
.?AVRuntimePortMapping@Vm@Spoon@@
.?AVIExportedInteface@@
.?AV?$_Ref_count@VHttpVHost@CHttpSrv@@@std@@
.?AV?$_Ref_count_obj@VHttpServer@CHttpSrv@@@std@@
.?AV?$_Ref_count_obj@VHttpRequest@CHttpSrv@@@std@@
.?AV?$_Ref_count_obj@VHttpVHost@CHttpSrv@@@std@@
.?AV?$CComObjectNoLock@VCFullIsolationRegKey@@@ATL@@
.?AV?$CComObjectNoLock@VCWriteCopyRegKey@@@ATL@@
.?AV?$CComObjectNoLock@VCMergedRegKey@@@ATL@@
.?AVCMergedRegKey@@
.?AVCWriteCopyRegKey@@
.?AVCFullIsolationRegKey@@
.?AVCVirtualRegKey@@
c:\%original file name%.exe
: :$:(:,:0:4:
= =$=(=,=0=4=8=<=
X:\:`:d:
24686<6@6
?$?4?8?<?@?
5 5$5(5,50545|6
1\1c1k1p1t1x1
4@4U4
>">(>.>4>
9'979^9{9
4*494>4{4
?'?-?:?{?
?*?7?@?\?
01080?0^0
3!3&33383
8Œ8T8e8
5 5W5F5K5Z5
5 6h6C6M6R6W6|6
0"1*141~1
7 99V9[9j9J:i:s:
11D1I1X1
7%7X7
0 0<0@0\0`0
?$?@?\?|?
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
portuguese-brazilian
Unsupported number of container links
_vmapi_network_config_0x%s
0x%X,
tntdll.dll
CHooker::InterceptAPI32(L"ntdll.dll", "NtSetSecurityObject", (PROC)New_NtSetSecurityObject, (PROC*)&Orig_NtSetSecurityObject)
In call: %s
nCHooker::InterceptAPI32(L"ntdll.dll", "NtQueryInformationToken", (PROC)New_NtQueryInformationToken, (PROC*)&Orig_NtQueryInformationToken)
CHooker::InterceptAPI32(L"kernel32.dll", "CheckElevationEnabled", (PROC)New_CheckElevationEnabled, (PROC*)&Orig_CheckElevationEnabled)
CHooker::InterceptAPI32(L"kernelbase.dll", "CheckTokenMembership", (PROC)New_CheckTokenMembership, (PROC*)&Orig_CheckTokenMembership)
CHooker::InterceptAPI32(L"advapi32.dll", "CheckTokenMembership", (PROC)New_CheckTokenMembership, (PROC*)&Orig_CheckTokenMembership)
CHooker::InterceptAPI32(L"advapi32.dll", "AccessCheck", (PROC)New_AccessCheck, (PROC*)&Orig_AccessCheck)
CHooker::InterceptAPI32(L"advapi32.dll", "CreateProcessWithLogonW", (PROC)New_CreateProcessWithLogonW, (PROC*)&Orig_CreateProcessWithLogonW)
sechost.dll
CHooker::InterceptAPI32(L"sechost.dll", "OpenSCManagerA", (PROC)New_OpenSCManagerA, (PROC*)&Orig_OpenSCManagerA)
CHooker::InterceptAPI32(L"advapi32.dll", "OpenSCManagerA", (PROC)New_OpenSCManagerA, (PROC*)&Orig_OpenSCManagerA)
CHooker::InterceptAPI32(L"sechost.dll", "OpenSCManagerW", (PROC)New_OpenSCManagerW, (PROC*)&Orig_OpenSCManagerW)
CHooker::InterceptAPI32(L"advapi32.dll", "OpenSCManagerW", (PROC)New_OpenSCManagerW, (PROC*)&Orig_OpenSCManagerW)
CHooker::InterceptAPI32(L"sechost.dll", "CloseServiceHandle", (PROC)New_CloseServiceHandle, (PROC*)&Orig_CloseServiceHandle)
CHooker::InterceptAPI32(L"advapi32.dll", "CloseServiceHandle", (PROC)New_CloseServiceHandle, (PROC*)&Orig_CloseServiceHandle)
shlwapi.dll
Error loading shlwapi.dll
CHooker::InterceptAPI32(L"shlwapi.dll", "SHCreateThreadWithHandle", (PROC)New_SHCreateThreadWithHandle, (PROC*)&Orig_SHCreateThreadWithHandle)
file %s doesn't exist
CheckElevation(%s) failed with %d code
CElevationShims::New_CheckTokenMembership::<lambda_02604bca4152832ac92161eb66d89101>::operator ()
Raising RID from 0x%X to 0x%X
CElevationShims::New_NtQueryInformationToken::<lambda_7138ae5cd59c00b0ddad740776ba328b>::operator ()
CElevationShims::New_CheckElevationEnabled::<lambda_74f8b737e8a0ad075cd7549e1a56f389>::operator ()
CElevationShims::New_CreateProcessWithLogonW::<lambda_44da3b8934051cdff68cff1e918167cf>::operator ()
lpPassword
CElevationShims::New_AccessCheck::<lambda_3d186265a1d26201aa12b26b7ba50047>::operator ()
CElevationShims::New_SHCreateThreadWithHandle::<lambda_96d358581dd50ead34ca9bfc5406fb91>::operator ()
user32.dll
Error loading user32.dll
CHooker::InterceptAPI32(L"user32.dll", "AddClipboardFormatListener", (PROC)New_AddClipboardFormatListener, (PROC*)&Orig_AddClipboardFormatListener)
CHooker::InterceptAPI32(L"user32.dll", "ChangeClipboardChain", (PROC)New_ChangeClipboardChain, (PROC*)&Orig_ChangeClipboardChain)
CHooker::InterceptAPI32(L"user32.dll", "CloseClipboard", (PROC)New_CloseClipboard, (PROC*)&Orig_CloseClipboard)
CHooker::InterceptAPI32(L"user32.dll", "CountClipboardFormats", (PROC)New_CountClipboardFormats, (PROC*)&Orig_CountClipboardFormats)
CHooker::InterceptAPI32(L"user32.dll", "EmptyClipboard", (PROC)New_EmptyClipboard, (PROC*)&Orig_EmptyClipboard)
CHooker::InterceptAPI32(L"user32.dll", "EnumClipboardFormats", (PROC)New_EnumClipboardFormats, (PROC*)&Orig_EnumClipboardFormats)
CHooker::InterceptAPI32(L"user32.dll", "GetClipboardData", (PROC)New_GetClipboardData, (PROC*)&Orig_GetClipboardData)
CHooker::InterceptAPI32(L"user32.dll", "GetClipboardFormatNameA", (PROC)New_GetClipboardFormatNameA, (PROC*)&Orig_GetClipboardFormatNameA)
CHooker::InterceptAPI32(L"user32.dll", "GetClipboardFormatNameW", (PROC)New_GetClipboardFormatNameW, (PROC*)&Orig_GetClipboardFormatNameW)
CHooker::InterceptAPI32(L"user32.dll", "GetClipboardOwner", (PROC)New_GetClipboardOwner, (PROC*)&Orig_GetClipboardOwner)
CHooker::InterceptAPI32(L"user32.dll", "GetClipboardSequenceNumber", (PROC)New_GetClipboardSequenceNumber, (PROC*)&Orig_GetClipboardSequenceNumber)
CHooker::InterceptAPI32(L"user32.dll", "GetClipboardViewer", (PROC)New_GetClipboardViewer, (PROC*)&Orig_GetClipboardViewer)
CHooker::InterceptAPI32(L"user32.dll", "GetOpenClipboardWindow", (PROC)New_GetOpenClipboardWindow, (PROC*)&Orig_GetOpenClipboardWindow)
CHooker::InterceptAPI32(L"user32.dll", "GetPriorityClipboardFormat", (PROC)New_GetPriorityClipboardFormat, (PROC*)&Orig_GetPriorityClipboardFormat)
CHooker::InterceptAPI32(L"user32.dll", "GetUpdatedClipboardFormats", (PROC)New_GetUpdatedClipboardFormats, (PROC*)&Orig_GetUpdatedClipboardFormats)
CHooker::InterceptAPI32(L"user32.dll", "IsClipboardFormatAvailable", (PROC)New_IsClipboardFormatAvailable, (PROC*)&Orig_IsClipboardFormatAvailable)
CHooker::InterceptAPI32(L"user32.dll", "OpenClipboard", (PROC)New_OpenClipboard, (PROC*)&Orig_OpenClipboard)
CHooker::InterceptAPI32(L"user32.dll", "RegisterClipboardFormatA", (PROC)New_RegisterClipboardFormatA, (PROC*)&Orig_RegisterClipboardFormatA)
CHooker::InterceptAPI32(L"user32.dll", "RegisterClipboardFormatW", (PROC)New_RegisterClipboardFormatW, (PROC*)&Orig_RegisterClipboardFormatW)
CHooker::InterceptAPI32(L"user32.dll", "RemoveClipboardFormatListener", (PROC)New_RemoveClipboardFormatListener, (PROC*)&Orig_RemoveClipboardFormatListener)
CHooker::InterceptAPI32(L"user32.dll", "SetClipboardData", (PROC)New_SetClipboardData, (PROC*)&Orig_SetClipboardData)
CHooker::InterceptAPI32(L"user32.dll", "SetClipboardViewer", (PROC)New_SetClipboardViewer, (PROC*)&Orig_SetClipboardViewer)
\%s.lnk
ERROR: <%s> is missing from string table
W@APPDIR@\__Xenocode\x86\vmx.dll
Unable to load vmx.dll due to %d
Unable to locate vmx.dll export %s due to %d
CUtil::GetShimMethod(sShimName, "OnInitialize", (PVOID *)&fnOnInititialize)
%ComSpec%
/c start %s
DoPassiveDrmIf
g_vm.EssentialInit( hEntry, hBootstrapFileMapping, cbFileSize, cbOffsetPayload, pbProcessBlock, pbApplicationBlock)
xclog_0x%x.txt
g_vm.ExtraInit()
xcstream_0x%x.txt
@APPDIR@\__Xenocode\Branding.bmp
@PROGRAMFILES@\Xenocode\Branding.bmp
DoBranding( hEntry, sImagePath, CProcessSettings::StartupPath(), g_vm.GetLicenseeName(), g_vm.GetBrandingTextColor())
DoPassiveDrmIf()
@APPDIR@\__Xenocode\Splash.bmp
@PROGRAMFILES@\Xenocode\Splash.bmp
DoSplash(sImagePath, g_vm.SplashTransparent(), g_vm.SplashDisplaySeconds())
g_vm.StartDependencies()
g_vm.RunShotgunApps()
g_vm.CanRunInBootstrap(fCanRun)
g_vm.PrimeAndRunExe()
g_vm.ShellExecuteChildProcess()
%s %s (0x%X)
hr: %x
\x86\vm.dll
Process %d (0x%X) '%s' started in debug mode.
Click 'Ok' to continue using specified vm.dll or 'Cancel' to use embedded vm.
Didn't find local vm.dll, using embedded.
%u.%u.%u.%u
.manifest
No child layer in %s.
\pipe\
\??\pipe\
New_NetLocalGroupAdd::<lambda_4f6516e028a32fffa0bed2ff8184ea49>::operator ()
New_NetLocalGroupAddMembers::<lambda_32f8d4017faa09f568026cc9125ec9f3>::operator ()
Fallback virtual %s service account to NT Service
New_LookupAccountNameA::<lambda_c4ab36f356eb2d9314c1499a4f3090a2>::operator ()
New_LookupAccountNameW::<lambda_ef7eec37a16d650a71dc61cd0d9a62e5>::operator ()
netapi32.dll
Error loading netapi32.dll
CHooker::InterceptAPI32(L"netapi32.dll", "NetLocalGroupAdd", (PROC)New_NetLocalGroupAdd, (PROC*)&Orig_NetLocalGroupAdd)
sCHooker::InterceptAPI32(L"netapi32.dll", "NetLocalGroupAddMembers", (PROC)New_NetLocalGroupAddMembers, (PROC*)&Orig_NetLocalGroupAddMembers)
Error loading advapi32.dll
CHooker::InterceptAPI32(L"advapi32.dll", "LookupAccountNameW", (PROC)New_LookupAccountNameW, (PROC*)&Orig_LookupAccountNameW)
CHooker::InterceptAPI32(L"advapi32.dll", "LookupAccountNameA", (PROC)New_LookupAccountNameA, (PROC*)&Orig_LookupAccountNameA)
_ConnectNamedPipe(s_hFeedbackPipe, CProcessSettings::NotificationFlagSet(eSendProcessNotifications))
Unable add _ExecuteCommand notification handle.
\\.\pipe\_xmgr_%s
Unable to open named pipe for feedback...
CClientSync::_ConnectNamedPipe
_SendMessageOverPipe(rh, (PVOID)&msg, sizeof(msg))
_xmgr_%s_mem_xlayerinfo_0xX
Unable to map view of sman-specified XLayer info: %s.
Invalid required xlayer mapping in sman-specified XLayer info: %s.
Unable to open specified xLayer: %s.
Unable to create mapping of specified xLayer: %s.
Unable to write message over pipe.
CClientSync::_SendMessageOverPipe
\*-x86.dll
CHttpSrv: bad url regexp
CHttpSrv::prepareUrlRE
CHttpSrv findFreeTcpPort failed: couldn't create socket. WsaGle:%d, Gle:0x%X
CHttpSrv::findFreeTcpPort
CHttpSrv findFreeTcpPort failed: couldn't bind
CHttpSrv findFreeTcpPort failed: couldn't retrieve port number
CHttpSrv::HttpAddUrl
CHttpSrv %s: invalid url: %s
CHttpSrv TODO: HttpReceiveHttpRequest synchronous requests are not supported yet
CHttpSrv::HttpReceiveHttpRequest
CHttpSrv _reCookUrl: invalid url: %s
CHttpSrv::_reCookUrl
CHttpSrv getnameinfo: got unexpected port %d (hostPort should be %d)
CHttpSrv::getnameinfo
Regular expression matcher failed to parse: %s, Error returned: %n
%s%s%s
_X
Found one-time handle: 0x%X, for path: %s.
\REGISTRY\USER\%s\Software\Spoon\SandboxCache
NT::RtlConvertSidToUnicodeString( &usSidString, pTokenUser->User.Sid, TRUE)
_pipe_
0xXX
_xvm_mem_sandbox_info_%s
_xvm_mtx_sandbox_info_%s
Two applications using same sandbox at the same time with different settings. Unexpected results would occur, thus failing fast: Existing Bootstrap: %s, This Bootstrap: %s, Existing EntrySvm: %s, This EntrySvm: %s.
_xvm_mtx_sentinel_%s
_xvm_mtx_servicesentinel_%s
_xvm_evt_notification_%s
GetModuleFileNameW failed for main exe
Exceeded duplicate handle space, procInfoVer: %d, cwcPath: %d, countDups: %d.
Can't create process information memory with status: 0x%X.
Can't create process information with status: 0x%X.
Failed to VirtualAllocEx for target process. Status: 0x%X, Size returned is: 0x%X.
Unable to get info for virtual-proc candidate: 0x%X, peb: 0x%X
Can't create process information object with gle: 0x%X.
Can't map process information object with gle: 0x%X.
Can't create injected process information object with gle: 0x%X.
Can't map injected process information object with gle: 0x%X.
_vmapi_pids_sandbox_0x%s
_vmapi_pids_sandbox_0xXX
Someone wants SACL portion of security descriptor, but we don't have that
Unexpected error from MakeSelfRelativeSD: %d
NtCreateFile failed: 0x%X
NtWriteFile failed: 0x%X
NtClose failed: 0x%X
tDumpStdin: %s
rTruncStdStreams: %d
\stubexe\0xXX\%s
CreateStubExe(rSettings, rsStubExePath)
CStubexe::EnsureStubExe
CAtomicFile::InitForWrite( sStubExePath, cbStubExe, &pStmFile)
CStubexe::CreateStubExe
pStmFile->GetMappedView((PVOID*)&pbStubExe)
ws2_32.dll
Can't get ws2_32.dll handle
WSAStartup failed with error code %d
New_WSAStartup::<lambda_e60d4002a24fc40ebe451a45f5d046c1>::operator ()
MaxUdpDg
Error loading ws2_32.dll
CHooker::InterceptAPI32(L"ws2_32.dll", "WSAStartup", (PROC)New_WSAStartup, (PROC*)&Orig_WSAStartup)
CHooker::InterceptAPI32(L"ws2_32.dll", "WSASocketW", (PROC)New_WSASocketW, (PROC*)&Orig_WSASocketW)
CHooker::InterceptAPI32(L"ws2_32.dll", "closesocket", (PROC)New_closesocket, (PROC*)&Orig_closesocket)
CHooker::InterceptAPI32(L"ws2_32.dll", "WSAConnect", (PROC)New_WSAConnect, (PROC*)&Orig_WSAConnect)
tCHooker::InterceptAPI32(L"ws2_32.dll", "connect", (PROC)New_connect, (PROC*)&Orig_connect)
CHooker::InterceptAPI32(L"ws2_32.dll", "getsockname", (PROC)New_getsockname, (PROC*)&Orig_getsockname)
CHooker::InterceptAPI32(L"ws2_32.dll", "getpeername", (PROC)New_getpeername, (PROC*)&Orig_getpeername)
CHooker::InterceptAPI32(L"ws2_32.dll", "getaddrinfo", (PROC)New_getaddrinfo, (PROC*)&Orig_getaddrinfo)
CHooker::InterceptAPI32(L"ws2_32.dll", "freeaddrinfo", (PROC)New_freeaddrinfo, (PROC*)&Orig_freeaddrinfo)
CHooker::InterceptAPI32(L"ws2_32.dll", "WSAIoctl", (PROC)New_WSAIoctl, (PROC*)&Orig_WSAIoctl)
CHooker::InterceptAPI32(L"ws2_32.dll", "WSALookupServiceBeginW", (PROC)New_WSALookupServiceBeginW, (PROC*)&Orig_WSALookupServiceBeginW)
CHooker::InterceptAPI32(L"ws2_32.dll", "WSALookupServiceNextW", (PROC)New_WSALookupServiceNextW, (PROC*)&Orig_WSALookupServiceNextW)
dCHooker::InterceptAPI32(L"ws2_32.dll", "WSALookupServiceEnd", (PROC)New_WSALookupServiceEnd, (PROC*)&Orig_WSALookupServiceEnd)
CHooker::InterceptAPI32(L"ws2_32.dll", "GetAddrInfoExW", (PROC)New_GetAddrInfoExW, (PROC*)&Orig_GetAddrInfoExW)
CHooker::InterceptAPI32(L"ws2_32.dll", "bind", (PROC)New_bind, (PROC*)&Orig_bind)
CHooker::InterceptAPI32(L"ws2_32.dll", "listen", (PROC)New_listen, (PROC*)&Orig_listen)
CHooker::InterceptAPI32(L"ws2_32.dll", "getnameinfo", (PROC)New_getnameinfo, (PROC*)&Orig_getnameinfo)
GetVmXMethod("VmxWSAGetLastError", (PVOID *)&g_WinsockApi.WSAGetLastError)
GetVmXMethod("VmxWSASetLastError", (PVOID *)&g_WinsockApi.WSASetLastError)
%s.%s="%s",%s="%s"
Unsupported number of classes implementing IWbemLocator
Unsupported number of classes implementing IWbemServices
Unsupported number of classes implementing IEnumWbemClassObject
Unsupported number of classes implementing IWbemClassObject
CLSIDFromString("%s") failed with error code 0x%X
Failure in QI for IID_IPersistFile on returned interface in CoGetInstanceFromFile: 0x%X, File: %s.
Failure in IPersistFile->Load on returned interface in CoGetInstanceFromFile: 0x%X, File: %s.
Failure calling CoCreateInstanceEx in CoGetInstanceFromFile: 0x%X, File: %s.
Skipping virtual layer for CoGetInstanceFromFile because GetClassFile returned: 0x%X for file: %s.
ole32.dll
Error loading ole32.dll
CHooker::InterceptAPI32(L"ole32.dll", "CoCreateInstance", (PROC)New_CoCreateInstance, (PROC*)&Orig_CoCreateInstance)
CHooker::InterceptAPI32(L"ole32.dll", "CoCreateInstanceEx", (PROC)New_CoCreateInstanceEx, (PROC*)&Orig_CoCreateInstanceEx)
CHooker::InterceptAPI32(L"ole32.dll", "CoGetClassObject", (PROC)New_CoGetClassObject, (PROC*)&Orig_CoGetClassObject)
CHooker::InterceptAPI32(L"ole32.dll", "CoGetInstanceFromFile", (PROC)New_CoGetInstanceFromFile, (PROC*)&Orig_CoGetInstanceFromFile)
CHooker::InterceptAPI32(L"ole32.dll", "CoRegisterClassObject", (PROC)New_CoRegisterClassObject, (PROC*)&Orig_CoRegisterClassObject)
CHooker::InterceptAPI32(L"ole32.dll", "CoRevokeClassObject", (PROC)New_CoRevokeClassObject, (PROC*)&Orig_CoRevokeClassObject)
CHooker::InterceptAPI32(L"ole32.dll", "CoResumeClassObjects", (PROC)New_CoResumeClassObjects, (PROC*)&Orig_CoResumeClassObjects)
\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{%s}
\REGISTRY\MACHINE\SOFTWARE\CLASSES\AppID\%s
Failed to start COM service in _CreateClassServerIf with Gle: %d, Clsid: %s, Service: %s
CreateProcessW failed in _CreateClassServerIf with Gle: %d, Clsid: %s, Server: %s
Wait for local server timed out in _CreateClassServerIf: Clsid: %s, Server: %s
The child COM local-server process for %s died without registering the COM object. Perhaps the Spawn Com Server setting should be turned off.
WaitForMultipleObjects unexpected result: 0x%X, gle: %d, Clsid: %s, Server: "%s"
_hEvt.Reset() failed: gle %d, clsid %s, server "%s", service "%s"
WaitForSingleObject(_hSem, 0) returned: 0x%X, gle: %d, clsid: %s, server: "%s"
Unsupported com class registration. Clsid: %s, ClsContext: 0x%X, Flags: 0x%X.
_hEvt.Set() failed: gle %d, clsid %s, server "%s", service "%s"
_hSem.Release() failed: gle %d, clsid %s, server "%s", service "%s"
_xvm_mtx_%s_%s
Failed to create "%s", gle %d, clsid %s, server "%s", service "%s"
_xvm_evt_%s_%s
_xvm_sem_%s_%s
Forcing initializaiton of isolation for %s to 0x%X (0x%X was attempted)
CConfigRegKey::CConfigRegKey
reader.Init(pstmLayer)
sizeReader.Init(&reader, false)
sizeReaderCollection.Init(pReader)
Skipping config type: 0x%X
sizeReaderCollection.ReadULONG(cItems)
sizeReaderCollection.ReadULONG(typeItem)
Collection type 0x%X does not match item type 0x%X during xlayer load.
sizeReader.ReadBlob(awcSignature, countof(XLAYER_SIGNATURE) - 1)
Invalid configuration from executable
sizeReader.ReadULONG(ulMajorVersion)
sizeReader.ReadULONG(ulMinorVersion)
Cannot read config built with newer major version format %d. Reader version %d.
Major version in config %d is lower than this reader version %d.. upgrading.
Minor version in config %d is of higher than this reader version %d. Some features required by this xlayer may not be available.
Minor version in config %d is lower than this reader version %d.
sizeReader.OnSizeValue()
sizeReader.ReadULONG(crc)
sizeReader.ReadULONG(cbCrc)
sizeReader.GetBaseStream(&pSeqStream)
pSeqStream.QueryInterface(&pStream)
Encountered unexpected type 0x%X during xlayer load
_LoadPortMap(pReader)
sizeReader.Init(pReader)
Skipping unknown config type: 0x%X
pDecraptSizeReader->ReadDotNetString(sSqlInstanceName, 0)
pDecraptSizeReader->ReadDotNetString(sStubExeCachePath, 0)
SQLXENOCODE
sizeReader.Init(pReader, false)
Invalid type in device: %x
Collection type 0x%X does not have CollectionBit set during device load.
pDecraptSizeReader->ReadDotNetString(sWebsite, 0)
pDecraptSizeReader->ReadULONG(ftExpirationDate.dwLowDateTime)
pDecraptSizeReader->ReadULONG(ftExpirationDate.dwHighDateTime)
pDecraptSizeReader->ReadDotNetString(sUrl, 0)
pDecraptSizeReader->ReadBOOL(fIsWebTimeSecure)
pDecraptSizeReader->ReadDotNetString(sWebTimeHost, 0)
pDecraptSizeReader->ReadDotNetString(sWebTimePath, 0)
pDecraptSizeReader->ReadULONG(dwWebTimePort)
pDecraptSizeReader->ReadBOOL(fExpireOnWebFail)
pDecraptSizeReader->ReadULONG(ftUtcBuildTime.dwLowDateTime)
pDecraptSizeReader->ReadULONG(ftUtcBuildTime.dwHighDateTime)
pDecraptSizeReader->ReadDotNetString(sShimDllName, 0)
shim.dll
sizeReader.ReadULONG(type)
Didn't see expected type: 0x%X, saw: 0x%X.
Loading inner layer: %s
pDecraptSizeReader->ReadDotNetString(strOperator, 0)
CVmConfig::_LoadPortMap
pDecraptSizeReader->ReadBOOL(bEnableTCP)
pDecraptSizeReader->ReadBOOL(bEnableUDP)
pDecraptSizeReader->ReadUSHORT(usServerPort)
pDecraptSizeReader->ReadDotNetString(sPassword, 0)
pDecraptSizeReader->ReadDotNetString(sLogin, 0)
Collection type 0x%X does not have CollectionBit set during remote server load.
sizeReaderCollection.Init(&sizeReader)
Collection type 0x%X does not match item type 0x%X during remote server load.
_LoadRemoteFolder(&sizeReaderCollection, sUrl)
pDecraptSizeReader->ReadDotNetString(sKeyName, 0)
Unable to locate special reg key root %s
Duplicate regkey %s will not be added as it is at lower layer.
sizeReader.GetStreamPosition(llStreamPositionSubKeys)
sizeReaderSubKey.Init(&sizeReader)
sizeReader.GetStreamPosition(llStreamPositionValues)
sizeReaderValue.Init(&sizeReader)
Unexpected key data collection item with type 0x%X
Unexpected key data item with type 0x%X
Skipping special directory root %s
Adding root directory %s (at %s) with flags: %X.
Unable to locate special directory root %s
Adding directory %s with flags: %X.
Duplicate directory %s will not be added as it is at lower layer.
sizeReader.GetStreamPosition(llStreamPositionSubDirs)
sizeReaderSubDir.Init(&sizeReader)
sizeReader.GetStreamPosition(llStreamPositionFiles)
sizeReaderFile.Init(&sizeReader)
Unexpected directory data collection item with type 0x%X
Unexpected directory data item with type 0x%X
CConfigRegKey::_FaultInSubKeysIf
reader.Init(iter->pOwningLayer->GetXLayerStream())
sizeReader.Init(&reader)
sizeReader.ReadULONG(cItems)
Error 0x%X faulting in sub-keys for key %s.
CConfigRegKey::_FaultInValuesIf
Duplicate reg value %s will not be added as it is at lower layer. type: 0x%X
Unexpected registry value %s, type: 0x%X
Error 0x%X faulting in values for key %s.
CConfigRegKey::_ReadTupleInfo
Error 0x%X faulting in sub-dirs for directory %s.
Duplicate file %s will not be added as it is at lower layer.
Error 0x%X faulting in files for directory %s.
Failed to get shortfilename info. Error: 0x%X, Item: %s, Path: %s
Failed to open directory candidate for shortfilename info. Error: 0x%X, Item: %s, Path: %s
pid:%d, tid:%d, tick:0x%X, lvl:%s, func:%s
, log:"%s"
, status:0x%X
, hr:0x%X
, clsid:X-X-X-X-XXXXXX
, ret:0x%X, gle:0x%X
, %s:0x%X
, %s:0x%XX
, %s:"%s"
, %s:%d
, %s:
, path:"%s"
, iostatus:0x%X, information:0x%X
, processid:0x%X, threadid:0x%X
, attribs:0x%X
, riid:X-X-X-X-XXXXXX
, handle:0x%X
%s\.crash
New_NtCreateNamedPipeFile
Unable to open the original exe file: %s with 0x%X
CSystemManager::CreateStubExeFileIf
Unable to create section on the original exe file: %s with 0x%X
Unable to map view of section on the original exe file: %s with 0x%X
Original exe is not valid nt image. Status: 0x%X, File: %s.
Original exe does not match x86 or x64 machine type, can't spawn vm. File: %s.
CHooker::InterceptAPI32(L"ntdll.dll", "LdrLoadDll", (PROC)New_LdrLoadDll, (PROC*)&Orig_LdrLoadDll)
CHooker::InterceptAPI32(L"ntdll.dll", "LdrUnloadDll", (PROC)New_LdrUnloadDll, (PROC*)&Orig_LdrUnloadDll)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCancelIoFile", (PROC)New_NtCancelIoFile, (PROC*)&Orig_NtCancelIoFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCancelIoFileEx", (PROC)New_NtCancelIoFileEx, (PROC*)&Orig_NtCancelIoFileEx)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCreateFile", (PROC)New_NtCreateFile, (PROC*)&Orig_NtCreateFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCreateMailslotFile", (PROC)New_NtCreateMailslotFile, (PROC*)&Orig_NtCreateMailslotFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCreateNamedPipeFile", (PROC)New_NtCreateNamedPipeFile, (PROC*)&Orig_NtCreateNamedPipeFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCreatePagingFile", (PROC)New_NtCreatePagingFile, (PROC*)&Orig_NtCreatePagingFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtDeleteFile", (PROC)New_NtDeleteFile, (PROC*)&Orig_NtDeleteFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtFlushBuffersFile", (PROC)New_NtFlushBuffersFile, (PROC*)&Orig_NtFlushBuffersFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtLockFile", (PROC)New_NtLockFile, (PROC*)&Orig_NtLockFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtNotifyChangeDirectoryFile", (PROC)New_NtNotifyChangeDirectoryFile, (PROC*)&Orig_NtNotifyChangeDirectoryFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtOpenFile", (PROC)New_NtOpenFile, (PROC*)&Orig_NtOpenFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryAttributesFile", (PROC)New_NtQueryAttributesFile, (PROC*)&Orig_NtQueryAttributesFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryDirectoryFile", (PROC)New_NtQueryDirectoryFile, (PROC*)&Orig_NtQueryDirectoryFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryEaFile", (PROC)New_NtQueryEaFile, (PROC*)&Orig_NtQueryEaFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryFullAttributesFile", (PROC)New_NtQueryFullAttributesFile, (PROC*)&Orig_NtQueryFullAttributesFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryInformationFile", (PROC)New_NtQueryInformationFile, (PROC*)&Orig_NtQueryInformationFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryVolumeInformationFile", (PROC)New_NtQueryVolumeInformationFile, (PROC*)&Orig_NtQueryVolumeInformationFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtReadFile", (PROC)New_NtReadFile, (PROC*)&Orig_NtReadFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtReadFileScatter", (PROC)New_NtReadFileScatter, (PROC*)&Orig_NtReadFileScatter)
CHooker::InterceptAPI32(L"ntdll.dll", "NtSetEaFile", (PROC)New_NtSetEaFile, (PROC*)&Orig_NtSetEaFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtSetInformationFile", (PROC)New_NtSetInformationFile, (PROC*)&Orig_NtSetInformationFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtSetVolumeInformationFile", (PROC)New_NtSetVolumeInformationFile, (PROC*)&Orig_NtSetVolumeInformationFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtUnlockFile", (PROC)New_NtUnlockFile, (PROC*)&Orig_NtUnlockFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtWriteFile", (PROC)New_NtWriteFile, (PROC*)&Orig_NtWriteFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtWriteFileGather", (PROC)New_NtWriteFileGather, (PROC*)&Orig_NtWriteFileGather)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryQuotaInformationFile", (PROC)New_NtQueryQuotaInformationFile, (PROC*)&Orig_NtQueryQuotaInformationFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtSetQuotaInformationFile", (PROC)New_NtSetQuotaInformationFile, (PROC*)&Orig_NtSetQuotaInformationFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtTranslateFilePath", (PROC)New_NtTranslateFilePath, (PROC*)&Orig_NtTranslateFilePath)
CHooker::InterceptAPI32(L"ntdll.dll", "NtDeviceIoControlFile", (PROC)New_NtDeviceIoControlFile, (PROC*)&Orig_NtDeviceIoControlFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtFsControlFile", (PROC)New_NtFsControlFile, (PROC*)&Orig_NtFsControlFile)
Not implemented op code 0x%X, with flags: 0x%X.
Not implemented rel8 jump op code 0x%X.
Not implemented ModRM code 0x%X, with flags: 0x%X.
GetModuleHandleW failed on: %s
Didn't find method %s.
Error hooking api. Bytes: X X X X X X.
New_NtAlpcCreatePort
New_NtCreatePort
New_NtAlpcConnectPort
New_NtSecureConnectPort
CHooker::InterceptAPI32(L"ntdll.dll", "NtAlpcCreatePort", (PROC)New_NtAlpcCreatePort, (PROC*)&Orig_NtAlpcCreatePort)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCreatePort", (PROC)New_NtCreatePort, (PROC*)&Orig_NtCreatePort)
CHooker::InterceptAPI32(L"ntdll.dll", "NtAlpcConnectPort", (PROC)New_NtAlpcConnectPort, (PROC*)&Orig_NtAlpcConnectPort)
CHooker::InterceptAPI32(L"ntdll.dll", "NtSecureConnectPort", (PROC)New_NtSecureConnectPort, (PROC*)&Orig_NtSecureConnectPort)
CHooker::InterceptAPI32(L"ntdll.dll", "NtClose", (PROC)New_NtClose, (PROC*)&Orig_NtClose)
CHooker::InterceptAPI32(L"ntdll.dll", "NtDuplicateObject", (PROC)New_NtDuplicateObject, (PROC*)&Orig_NtDuplicateObject)
CHooker::InterceptAPI32(L"ntdll.dll", "NtMakeTemporaryObject", (PROC)New_NtMakeTemporaryObject, (PROC*)&Orig_NtMakeTemporaryObject)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryObject", (PROC)New_NtQueryObject, (PROC*)&Orig_NtQueryObject)
CHooker::InterceptAPI32(L"ntdll.dll", "NtSetInformationObject", (PROC)New_NtSetInformationObject, (PROC*)&Orig_NtSetInformationObject)
CHooker::InterceptAPI32(L"ntdll.dll", "NtSignalAndWaitForSingleObject", (PROC)New_NtSignalAndWaitForSingleObject, (PROC*)&Orig_NtSignalAndWaitForSingleObject)
CHooker::InterceptAPI32(L"ntdll.dll", "NtAssociateWaitCompletionPacket", (PROC)New_NtAssociateWaitCompletionPacket, (PROC*)&Orig_NtAssociateWaitCompletionPacket)
CHooker::InterceptAPI32(L"ntdll.dll", "NtWaitForMultipleObjects", (PROC)New_NtWaitForMultipleObjects, (PROC*)&Orig_NtWaitForMultipleObjects)
CHooker::InterceptAPI32(L"ntdll.dll", "NtWaitForSingleObject", (PROC)New_NtWaitForSingleObject, (PROC*)&Orig_NtWaitForSingleObject)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQuerySecurityObject", (PROC)New_NtQuerySecurityObject, (PROC*)&Orig_NtQuerySecurityObject)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCreateMutant", (PROC)New_NtCreateMutant, (PROC*)&Orig_NtCreateMutant)
CHooker::InterceptAPI32(L"ntdll.dll", "NtOpenMutant", (PROC)New_NtOpenMutant, (PROC*)&Orig_NtOpenMutant)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCreateEvent", (PROC)New_NtCreateEvent, (PROC*)&Orig_NtCreateEvent)
CHooker::InterceptAPI32(L"ntdll.dll", "NtOpenEvent", (PROC)New_NtOpenEvent, (PROC*)&Orig_NtOpenEvent)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCreateSemaphore", (PROC)New_NtCreateSemaphore, (PROC*)&Orig_NtCreateSemaphore)
CHooker::InterceptAPI32(L"ntdll.dll", "NtOpenSemaphore", (PROC)New_NtOpenSemaphore, (PROC*)&Orig_NtOpenSemaphore)
Setting last seen child proc thread to 0x%X.
New_ShellExecuteExA
New_ShellExecuteExW
New_ShellExecuteA
operation
New_ShellExecuteW
cmdline
Calling GdiAddFontResourceW on %s directly to metal. Previous hr: 0x%X, status: 0x%X
Calling RemoveFontResourceExW on %s directly to metal. Previous hr: 0x%X, status: 0x%X
New thread started (via DoThreadStart) at address: 0x%X, parameter: 0x%X
New thread started (via BaseThreadInitThunk) at address: 0x%X, parameter: 0x%X
msiexec.exe
Found msiexec call, needs elevation
couldn't convert %s to NT path
Unable to create events. Gle: 0x%X
Unexpected return 0x%X from WaitForMultipleObjects during child process creation. Gle: 0x%X
Unable to resume startup thread in created child process. Gle: 0x%X
debugport
exceptionport
Call to %s made: Ret: 0x%X. Bypassing our virtual hosts impl.
Call to %s made: Ret: 0x%X.
CHooker::InterceptAPI32(L"kernelbase.dll", "GetCommandLineW", (PROC)New_GetCommandLineW, (PROC*)&Orig_GetCommandLineW)
CHooker::InterceptAPI32(L"kernelbase.dll", "GetCommandLineA", (PROC)New_GetCommandLineA, (PROC*)&Orig_GetCommandLineA)
CHooker::InterceptAPI32(L"kernelbase.dll", "GetQueuedCompletionStatus", (PROC)New_GetQueuedCompletionStatus, (PROC*)&Orig_GetQueuedCompletionStatus)
sCHooker::InterceptAPI32(L"kernelbase.dll", "ExitProcess", (PROC)New_ExitProcess, (PROC*)&Orig_ExitProcess)
CHooker::InterceptAPI32(L"kernel32.dll", "ExitProcess", (PROC)New_ExitProcessStub, (PROC*)&Orig_ExitProcessStub)
CHooker::InterceptAPI32(L"ntdll.dll", "RtlExitUserProcess", (PROC)New_RtlExitUserProcess, (PROC*)&Orig_RtlExitUserProcess)
CHooker::InterceptAPI32(L"kernel32.dll", "GetCommandLineW", (PROC)New_GetCommandLineW, (PROC*)&Orig_GetCommandLineW)
CHooker::InterceptAPI32(L"kernel32.dll", "GetCommandLineA", (PROC)New_GetCommandLineA, (PROC*)&Orig_GetCommandLineA)
CHooker::InterceptAPI32(L"kernel32.dll", "GetQueuedCompletionStatus", (PROC)New_GetQueuedCompletionStatus, (PROC*)&Orig_GetQueuedCompletionStatus)
CHooker::InterceptAPI32(L"kernel32.dll", "ExitProcess", (PROC)New_ExitProcess, (PROC*)&Orig_ExitProcess)
CHooker::InterceptAPI32(L"kernelbase.dll", "CreateProcessInternalW", (PROC)New_CreateProcessInternalW, (PROC*)&Orig_CreateProcessInternalW)
CHooker::InterceptAPI32(L"kernelbase.dll", "SetConsoleTitleW", (PROC)New_SetConsoleTitleW, (PROC*)&Orig_SetConsoleTitleW)
CHooker::InterceptAPI32(L"kernelbase.dll", "GetConsoleTitleW", (PROC)New_GetConsoleTitleW, (PROC*)&Orig_GetConsoleTitleW)
CHooker::InterceptAPI32(L"kernelbase.dll", "ReadConsoleA", (PROC)New_ReadConsoleA, (PROC*)&Orig_ReadConsoleA)
CHooker::InterceptAPI32(L"kernelbase.dll", "ReadConsoleW", (PROC)New_ReadConsoleW, (PROC*)&Orig_ReadConsoleW)
CHooker::InterceptAPI32(L"kernelbase.dll", "WriteConsoleA", (PROC)New_WriteConsoleA, (PROC*)&Orig_WriteConsoleA)
CHooker::InterceptAPI32(L"kernelbase.dll", "WriteConsoleW", (PROC)New_WriteConsoleW, (PROC*)&Orig_WriteConsoleW)
CHooker::InterceptAPI32(L"kernelbase.dll", "SetConsoleCtrlHandler", (PROC)New_SetConsoleCtrlHandler, (PROC*)&Orig_SetConsoleCtrlHandler)
CHooker::InterceptAPI32(L"kernelbase.dll", "SetConsoleCursorPosition", (PROC)New_SetConsoleCursorPosition, (PROC*)&Orig_SetConsoleCursorPosition)
CHooker::InterceptAPI32(L"kernel32.dll", "UpdateProcThreadAttribute", (PROC)New_UpdateProcThreadAttribute, (PROC*)&Orig_UpdateProcThreadAttribute)
CHooker::InterceptAPI32(L"kernel32.dll", "CreateProcessInternalW", (PROC)New_CreateProcessInternalW, (PROC*)&Orig_CreateProcessInternalW)
CHooker::InterceptAPI32(L"kernel32.dll", "SetConsoleTitleW", (PROC)New_SetConsoleTitleW, (PROC*)&Orig_SetConsoleTitleW)
CHooker::InterceptAPI32(L"kernel32.dll", "GetConsoleTitleW", (PROC)New_GetConsoleTitleW, (PROC*)&Orig_GetConsoleTitleW)
CHooker::InterceptAPI32(L"kernel32.dll", "ReadConsoleA", (PROC)New_ReadConsoleA, (PROC*)&Orig_ReadConsoleA)
CHooker::InterceptAPI32(L"kernel32.dll", "ReadConsoleW", (PROC)New_ReadConsoleW, (PROC*)&Orig_ReadConsoleW)
CHooker::InterceptAPI32(L"kernel32.dll", "WriteConsoleA", (PROC)New_WriteConsoleA, (PROC*)&Orig_WriteConsoleA)
CHooker::InterceptAPI32(L"kernel32.dll", "WriteConsoleW", (PROC)New_WriteConsoleW, (PROC*)&Orig_WriteConsoleW)
CHooker::InterceptAPI32(L"kernel32.dll", "SetConsoleCtrlHandler", (PROC)New_SetConsoleCtrlHandler, (PROC*)&Orig_SetConsoleCtrlHandler)
CHooker::InterceptAPI32(L"kernel32.dll", "SetConsoleCursorPosition", (PROC)New_SetConsoleCursorPosition, (PROC*)&Orig_SetConsoleCursorPosition)
CHooker::InterceptAPI32(L"kernel32.dll", "BaseThreadInitThunk", (PROC)New_BaseThreadInitThunk, (PROC*)&Orig_BaseThreadInitThunk)
CHooker::InterceptAPI32(L"kernel32.dll", "CreateRemoteThread", (PROC)New_CreateRemoteThread, (PROC*)&Orig_CreateRemoteThread)
Error loading kernel32.dll
CHooker::InterceptAPI32(L"kernel32.dll", "Wow64DisableWow64FsRedirection", (PROC)New_Wow64DisableWow64FsRedirection, (PROC*)&Orig_Wow64DisableWow64FsRedirection)
CHooker::InterceptAPI32(L"kernel32.dll", "Wow64EnableWow64FsRedirection", (PROC)New_Wow64EnableWow64FsRedirection, (PROC*)&Orig_Wow64EnableWow64FsRedirection)
CHooker::InterceptAPI32(L"kernel32.dll", "Wow64RevertWow64FsRedirection", (PROC)New_Wow64RevertWow64FsRedirection, (PROC*)&Orig_Wow64RevertWow64FsRedirection)
CHooker::InterceptAPI32(L"kernel32.dll", "SetConsoleTitleA", (PROC)New_SetConsoleTitleA, (PROC*)&Orig_SetConsoleTitleA)
CHooker::InterceptAPI32(L"kernel32.dll", "GetConsoleTitleA", (PROC)New_GetConsoleTitleA, (PROC*)&Orig_GetConsoleTitleA)
CHooker::InterceptAPI32(L"kernel32.dll", "GetComputerNameW", (PROC)New_GetComputerNameW, (PROC*)&Orig_GetComputerNameW)
CHooker::InterceptAPI32(L"kernel32.dll", "GetComputerNameA", (PROC)New_GetComputerNameA, (PROC*)&Orig_GetComputerNameA)
CHooker::InterceptAPI32(L"kernel32.dll", "GetComputerNameExW", (PROC)New_GetComputerNameExW, (PROC*)&Orig_GetComputerNameExW)
CHooker::InterceptAPI32(L"kernel32.dll", "GetComputerNameExA", (PROC)New_GetComputerNameExA, (PROC*)&Orig_GetComputerNameExA)
Iphlpapi.dll
Error loading Iphlpapi.dll
CHooker::InterceptAPI32(L"Iphlpapi.dll", "GetAdaptersAddresses", (PROC)New_GetAdaptersAddresses, (PROC*)&Orig_GetAdaptersAddresses)
CHooker::InterceptAPI32(L"ntdll.dll", "LdrShutdownThread", (PROC)New_LdrShutdownThread, (PROC*)&Orig_LdrShutdownThread)
eCHooker::InterceptAPI32(L"ntdll.dll", "LdrGetDllHandle", (PROC)New_LdrGetDllHandle, (PROC*)&Orig_LdrGetDllHandle)
CHooker::InterceptAPI32(L"ntdll.dll", "LdrResolveDelayLoadedAPI", (PROC)New_LdrResolveDelayLoadedAPI, (PROC*)&Orig_LdrResolveDelayLoadedAPI)
CHooker::InterceptAPI32(L"ntdll.dll", "LdrGetProcedureAddressForCaller", (PROC)New_LdrGetProcedureAddressForCaller, (PROC*)&Orig_LdrGetProcedureAddressForCaller)
CHooker::InterceptAPI32(L"ntdll.dll", "LdrGetProcedureAddressEx", (PROC)New_LdrGetProcedureAddressEx, (PROC*)&Orig_LdrGetProcedureAddressEx)
CHooker::InterceptAPI32(L"ntdll.dll", "LdrGetProcedureAddress", (PROC)New_LdrGetProcedureAddress, (PROC*)&Orig_LdrGetProcedureAddress)
CHooker::InterceptAPI32(L"ntdll.dll", "NtOpenProcess", (PROC)New_NtOpenProcess, (PROC*)&Orig_NtOpenProcess)
sCHooker::InterceptAPI32(L"ntdll.dll", "NtCreateProcess", (PROC)New_NtCreateProcess, (PROC*)&Orig_NtCreateProcess)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCreateProcessEx", (PROC)New_NtCreateProcessEx, (PROC*)&Orig_NtCreateProcessEx)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCreateUserProcess", (PROC)New_NtCreateUserProcess, (PROC*)&Orig_NtCreateUserProcess)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCreateThread", (PROC)New_NtCreateThread, (PROC*)&Orig_NtCreateThread)
CHooker::InterceptAPI32(L"ntdll.dll", "NtTerminateProcess", (PROC)New_NtTerminateProcess, (PROC*)&Orig_NtTerminateProcess)
sCHooker::InterceptAPI32(L"ntdll.dll", "NtSetInformationProcess", (PROC)New_NtSetInformationProcess, (PROC*)&Orig_NtSetInformationProcess)
gdi32.dll
Error loading gdi32.dll
WCHooker::InterceptAPI32(L"gdi32.dll", "GdiAddFontResourceW", (PROC)New_GdiAddFontResourceW, (PROC*)&Orig_GdiAddFontResourceW)
CHooker::InterceptAPI32(L"gdi32.dll", "RemoveFontResourceExW", (PROC)New_RemoveFontResourceExW, (PROC*)&Orig_RemoveFontResourceExW)
mswsock.dll
Error loading mswsock.dll
CHooker::InterceptAPI32(L"mswsock.dll", "TransmitFile", (PROC)New_TransmitFile, (PROC*)&Orig_TransmitFile)
dnsapi.dll
Error loading dnsapi.dll
CHooker::InterceptAPI32(L"dnsapi.dll", "DnsQuery_W", (PROC)New_DnsQuery_W, (PROC*)&Orig_DnsQuery_W)
CHooker::InterceptAPI32(L"dnsapi.dll", "DnsQuery_UTF8", (PROC)New_DnsQuery_UTF8, (PROC*)&Orig_DnsQuery_UTF8)
CHooker::InterceptAPI32(L"dnsapi.dll", "DnsQuery_A", (PROC)New_DnsQuery_A, (PROC*)&Orig_DnsQuery_A)
CHooker::InterceptAPI32(L"dnsapi.dll", "DnsQueryExW", (PROC)New_DnsQueryExW, (PROC*)&Orig_DnsQueryExW)
CHooker::InterceptAPI32(L"dnsapi.dll", "DnsQueryExUTF8", (PROC)New_DnsQueryExUTF8, (PROC*)&Orig_DnsQueryExUTF8)
CHooker::InterceptAPI32(L"dnsapi.dll", "DnsQueryExA", (PROC)New_DnsQueryExA, (PROC*)&Orig_DnsQueryExA)
CHooker::InterceptAPI32(L"dnsapi.dll", "DnsQueryEx", (PROC)New_DnsQueryEx, (PROC*)&Orig_DnsQueryEx)
httpapi.dll
Error loading httpapi.dll
CHooker::InterceptAPI32(L"httpapi.dll", "HttpAddUrl", (PROC)New_HttpAddUrl, (PROC*)&Orig_HttpAddUrl)
CHooker::InterceptAPI32(L"httpapi.dll", "HttpRemoveUrl", (PROC)New_HttpRemoveUrl, (PROC*)&Orig_HttpRemoveUrl)
CHooker::InterceptAPI32(L"httpapi.dll", "HttpAddUrlToUrlGroup", (PROC)New_HttpAddUrlToUrlGroup, (PROC*)&Orig_HttpAddUrlToUrlGroup)
CHooker::InterceptAPI32(L"httpapi.dll", "HttpRemoveUrlFromUrlGroup", (PROC)New_HttpRemoveUrlFromUrlGroup, (PROC*)&Orig_HttpRemoveUrlFromUrlGroup)
CHooker::InterceptAPI32(L"httpapi.dll", "HttpTerminate", (PROC)New_HttpTerminate, (PROC*)&Orig_HttpTerminate)
CHooker::InterceptAPI32(L"httpapi.dll", "HttpReceiveHttpRequest", (PROC)New_HttpReceiveHttpRequest, (PROC*)&Orig_HttpReceiveHttpRequest)
CHooker::InterceptAPI32(L"httpapi.dll", "HttpSendHttpResponse", (PROC)New_HttpSendHttpResponse, (PROC*)&Orig_HttpSendHttpResponse)
CHooker::InterceptAPI32(L"httpapi.dll", "HttpSendResponseEntityBody", (PROC)New_HttpSendResponseEntityBody, (PROC*)&Orig_HttpSendResponseEntityBody)
crypt32.dll
Error loading crypt32.dll
Error loading shell32.dll
CHooker::InterceptAPI32(L"shell32.dll", "SHAddToRecentDocs", (PROC)New_SHAddToRecentDocs, (PROC*)&Orig_SHAddToRecentDocs)
CHooker::InterceptAPI32(L"shell32.dll", "ShellExecuteExA", (PROC)New_ShellExecuteExA, (PROC*)&Orig_ShellExecuteExA)
WCHooker::InterceptAPI32(L"shell32.dll", "ShellExecuteExW", (PROC)New_ShellExecuteExW, (PROC*)&Orig_ShellExecuteExW)
CHooker::InterceptAPI32(L"shell32.dll", "ShellExecuteA", (PROC)New_ShellExecuteA, (PROC*)&Orig_ShellExecuteA)
CHooker::InterceptAPI32(L"shell32.dll", "ShellExecuteW", (PROC)New_ShellExecuteW, (PROC*)&Orig_ShellExecuteW)
mpr.dll
Error loading mpr.dll
CHooker::InterceptAPI32(L"mpr.dll", "WNetGetResourceInformationW", (PROC)New_WNetGetResourceInformationW, (PROC*)&Orig_WNetGetResourceInformationW)
CHooker::InterceptAPI32(L"mpr.dll", "WNetGetResourceInformationA", (PROC)New_WNetGetResourceInformationA, (PROC*)&Orig_WNetGetResourceInformationA)
CHooker::InterceptAPI32(L"kernelbase.dll", "SetTokenInformation", (PROC)New_SetTokenInformation, (PROC*)&Orig_SetTokenInformation)
CHooker::InterceptAPI32(L"advapi32.dll", "SetTokenInformation", (PROC)New_SetTokenInformation, (PROC*)&Orig_SetTokenInformation)
Dropping runas verb from ShellExecute
_AdjustShellExecuteParameters
shell32.dll
SecPassthrough
FaultExecutables
AdvancedComSupport
Unrecognized override setting: %s
New_NtCompactKeys
New_NtCompressKey
New_NtCreateKey
New_NtDeleteKey
New_NtDeleteValueKey
New_NtEnumerateKey
New_NtEnumerateValueKey
New_NtFlushKey
New_NtLoadKey
New_NtLoadKey2
New_NtLoadKeyEx
New_NtLockRegistryKey
New_NtNotifyChangeKey
New_NtNotifyChangeMultipleKeys
New_NtOpenKey
New_NtOpenKeyEx
New_NtQueryKey
New_NtQueryMultipleValueKey
New_NtQueryOpenSubKeys
New_NtQueryOpenSubKeysEx
New_NtQueryValueKey
New_NtRenameKey
New_NtReplaceKey
New_NtRestoreKey
New_NtSaveKey
New_NtSaveKeyEx
New_NtSaveMergedKeys
New_NtSetInformationKey
New_NtSetValueKey
New_NtUnloadKey
New_NtUnloadKey2
New_NtUnloadKeyEx
CHooker::InterceptAPI32(L"ntdll.dll", "NtCompactKeys", (PROC)New_NtCompactKeys, (PROC*)&Orig_NtCompactKeys)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCompressKey", (PROC)New_NtCompressKey, (PROC*)&Orig_NtCompressKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCreateKey", (PROC)New_NtCreateKey, (PROC*)&Orig_NtCreateKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtDeleteKey", (PROC)New_NtDeleteKey, (PROC*)&Orig_NtDeleteKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtDeleteValueKey", (PROC)New_NtDeleteValueKey, (PROC*)&Orig_NtDeleteValueKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtEnumerateKey", (PROC)New_NtEnumerateKey, (PROC*)&Orig_NtEnumerateKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtEnumerateValueKey", (PROC)New_NtEnumerateValueKey, (PROC*)&Orig_NtEnumerateValueKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtFlushKey", (PROC)New_NtFlushKey, (PROC*)&Orig_NtFlushKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtLoadKey", (PROC)New_NtLoadKey, (PROC*)&Orig_NtLoadKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtLoadKey2", (PROC)New_NtLoadKey2, (PROC*)&Orig_NtLoadKey2)
CHooker::InterceptAPI32(L"ntdll.dll", "NtLoadKeyEx", (PROC)New_NtLoadKeyEx, (PROC*)&Orig_NtLoadKeyEx)
CHooker::InterceptAPI32(L"ntdll.dll", "NtLockRegistryKey", (PROC)New_NtLockRegistryKey, (PROC*)&Orig_NtLockRegistryKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtNotifyChangeKey", (PROC)New_NtNotifyChangeKey, (PROC*)&Orig_NtNotifyChangeKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtNotifyChangeMultipleKeys", (PROC)New_NtNotifyChangeMultipleKeys, (PROC*)&Orig_NtNotifyChangeMultipleKeys)
CHooker::InterceptAPI32(L"ntdll.dll", "NtOpenKey", (PROC)New_NtOpenKey, (PROC*)&Orig_NtOpenKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtOpenKeyEx", (PROC)New_NtOpenKeyEx, (PROC*)&Orig_NtOpenKeyEx)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryKey", (PROC)New_NtQueryKey, (PROC*)&Orig_NtQueryKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryMultipleValueKey", (PROC)New_NtQueryMultipleValueKey, (PROC*)&Orig_NtQueryMultipleValueKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryOpenSubKeys", (PROC)New_NtQueryOpenSubKeys, (PROC*)&Orig_NtQueryOpenSubKeys)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryOpenSubKeysEx", (PROC)New_NtQueryOpenSubKeysEx, (PROC*)&Orig_NtQueryOpenSubKeysEx)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryValueKey", (PROC)New_NtQueryValueKey, (PROC*)&Orig_NtQueryValueKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtRenameKey", (PROC)New_NtRenameKey, (PROC*)&Orig_NtRenameKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtReplaceKey", (PROC)New_NtReplaceKey, (PROC*)&Orig_NtReplaceKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtRestoreKey", (PROC)New_NtRestoreKey, (PROC*)&Orig_NtRestoreKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtSaveKey", (PROC)New_NtSaveKey, (PROC*)&Orig_NtSaveKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtSaveKeyEx", (PROC)New_NtSaveKeyEx, (PROC*)&Orig_NtSaveKeyEx)
CHooker::InterceptAPI32(L"ntdll.dll", "NtSaveMergedKeys", (PROC)New_NtSaveMergedKeys, (PROC*)&Orig_NtSaveMergedKeys)
CHooker::InterceptAPI32(L"ntdll.dll", "NtSetInformationKey", (PROC)New_NtSetInformationKey, (PROC*)&Orig_NtSetInformationKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtSetValueKey", (PROC)New_NtSetValueKey, (PROC*)&Orig_NtSetValueKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtUnloadKey", (PROC)New_NtUnloadKey, (PROC*)&Orig_NtUnloadKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtUnloadKey2", (PROC)New_NtUnloadKey2, (PROC*)&Orig_NtUnloadKey2)
CHooker::InterceptAPI32(L"ntdll.dll", "NtUnloadKeyEx", (PROC)New_NtUnloadKeyEx, (PROC*)&Orig_NtUnloadKeyEx)
Failed to delete metadata for sandbox file %s due to 0x%X.
Failed to delete sandbox file %s due to 0x%X.
Failed to delete __meta__ file %s for deleted file due to 0x%X.
%s\xsandbox.bin
Setting special directory to full isolation %s
The sandbox location at %s has insufficient space. Requested space: %d MB, actual %d MB.
reader.Init(pStmSandboxFile)
xreader.ReadBlob(acBuffer, sizeof(acHeader))
The XSandbox.bin file appears corrupt - unknown header.
reader.ReadULONG(majorVersion)
The XSandbox.bin indicates a newer major version sandbox than is understood by this VM version.
reader.ReadULONG(minorVersion)
The XSandbox.bin indicates a newer minor version sandbox than is understood by this VM version.
Sandbox %s needing upgrade is in use.
Unable to create XSandbox.bin file %s with error: 0x%X
writer.Write(acHeader, sizeof(acHeader))
writer.Write((ULONG)XSANDBOX_BIN_MAJOR_VERSION)
writer.Write((ULONG)XSANDBOX_BIN_MINOR_VERSION)
Upgrading sandbox %s from v%d.%d to v%d.%d.
\stubexe
VMAPICALL(VmDeleteDirectory(sStubExeFolder))
Unable to upgrade sandbox due to existing target roaming folder: %s
\xregistry.bin
MakeNtPath returned an error during sandbox expansion on %s: 0x%X
Setting sandbox path to: %s
%s\0xXX
MakeNtPath returned an error during sandbox cache expansion on %s: 0x%X
%s\XX
Setting registry cache path to: %s
An error 0x%X occurred flushing the roaming registry cache to the sandbox at shutdown.
An error 0x%X occurred flushing the local registry cache to the sandbox at shutdown.
Overriding special sandbox path %s to %s.
An error 0x%X occurred flushing the roaming registry cache to the sandbox.
An error 0x%X occurred flushing the local registry cache to the sandbox.
%s\xregistry.bin
reader.Init(pStmRegFile)
The XRegistry.bin file appears corrupt - unknown header.
reader.ReadULONG(version)
The XRegistry.bin file appears corrupt - unknown version.
VMAPICALL(VmCreateKey( &hRegRoot, pwcsRegRoot, KEY_ALL_ACCESS, TRUE))
_LoadKeyRecurse(reader, hRegRoot)
The XRegistry.bin file had errors during parsing: 0x%X. Resetting the registry state.
rReader.ReadULONG(cValues)
CSandbox::_LoadKeyRecurse
rReader.ReadULONG(cwcMaxValueName)
rReader.ReadULONG(cbMaxValueData)
rReader.ReadString(sName, 0x3FFF)
rReader.ReadULONG(ulType)
rReader.ReadULONG(cbBlob)
The XRegistry.bin file appears corrupt - data length too great.
rReader.ReadBlob(pbValueDataBuffer, cbBlob)
VMAPICALL(VmSetValueKey( hRegKey, sName, ulType, pbValueDataBuffer, cbBlob))
rReader.ReadULONG(cSubKeys)
rReader.ReadULONG(cwcMaxSubKeyName)
rReader.ReadString(sName, 0xFF)
VMAPICALL(VmCreateKeyEx( &hSubKey, hRegKey, sName, KEY_READ | KEY_WRITE, &fCreate))
_LoadKeyRecurse(rReader, hSubKey)
writer.Write((ULONG)XREGISTRY_BIN_VERSION)
_SaveKeyRecurse(writer, hRegRoot)
VMAPICALL(VmDeleteKey(sRenamePath))
VMAPICALL(VmRenameKey(hRegRoot, sRenameName))
VMAPICALL(VmDeleteKey(hRegRoot))
VMAPICALL(VmQueryKey( hRegKey, 0, &cwcMaxSubKeyName, 0, &cwcMaxValueName, &cbMaxValueData, 0))
CSandbox::_SaveKeyRecurse
rWriter.GetUnderylingStream(&pUnderlyingObj)
pUnderlyingObj.QueryInterface(&pUnderlyingStream)
rWriter.Write((ULONG)0)
rWriter.Write(cwcMaxValueName)
rWriter.Write(cbMaxValueData)
Unexpected error returned from VmEnumerateValueKey
rWriter.Write(pwcsValueNameBuffer)
rWriter.Write(dwType)
rWriter.Write(cbDataBuffer)
rWriter.Write(pbValueDataBuffer, cbDataBuffer)
rWriter.Write(i)
rWriter.Write(cwcMaxSubKeyName)
Unexpected error returned from VmEnumerateKey
Unexpected error returned from VmCreateKey
rWriter.Write(pwcsSubKeyNameBuffer)
_SaveKeyRecurse(rWriter, hSubKey)
CUtil::SetCurrentPosition(pUnderlyingStream, ullSubKeyCountPos)
Lazy-cleaning promoted: %s
reader.Init(pStmMetaFile)
The __meta__ file %s appears corrupt - unknown header.
The __meta__ file %s appears corrupt - unknown version.
reader.ReadULONG(fHashPresent)
reader.ReadBlob(abHash, MD5_HASH_BYTES)
Lazy-cleaning: %s
Upgrading or lazy-cleaning file in sandbox: %s
We don't yet support renaming virtual directories.
Try to promote local sandboxed file to: %s.
Promoting %s failed due to sharing violation.. Expected, so re-faulting from source.
Faulting in sandboxed copy of: %s
writer.Write((ULONG)XVM_META_VERSION)
writer.Write((ULONG)TRUE)
writer.WriteBlob((PVOID)pbHash, MD5_HASH_BYTES)
writer.Write((ULONG)FALSE)
writer.Write((ULONGLONG)0)
Couldn't read deleted items under %s due to 0x%X.
Couldn't open 'alt' dir for %s due to 0x%X.
CHooker::InterceptAPI32(L"ntdll.dll", "NtCreateSection", (PROC)New_NtCreateSection, (PROC*)&Orig_NtCreateSection)
CHooker::InterceptAPI32(L"ntdll.dll", "NtExtendSection", (PROC)New_NtExtendSection, (PROC*)&Orig_NtExtendSection)
CHooker::InterceptAPI32(L"ntdll.dll", "NtMapViewOfSection", (PROC)New_NtMapViewOfSection, (PROC*)&Orig_NtMapViewOfSection)
CHooker::InterceptAPI32(L"ntdll.dll", "NtOpenSection", (PROC)New_NtOpenSection, (PROC*)&Orig_NtOpenSection)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQuerySection", (PROC)New_NtQuerySection, (PROC*)&Orig_NtQuerySection)
CHooker::InterceptAPI32(L"ntdll.dll", "NtUnmapViewOfSection", (PROC)New_NtUnmapViewOfSection, (PROC*)&Orig_NtUnmapViewOfSection)
CHooker::InterceptAPI32(L"ntdll.dll", "NtUnmapViewOfSectionEx", (PROC)New_NtUnmapViewOfSectionEx, (PROC*)&Orig_NtUnmapViewOfSectionEx)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryVirtualMemory", (PROC)New_NtQueryVirtualMemory, (PROC*)&Orig_NtQueryVirtualMemory)
CHooker::InterceptAPI32(L"ntdll.dll", "NtAreMappedFilesTheSame", (PROC)New_NtAreMappedFilesTheSame, (PROC*)&Orig_NtAreMappedFilesTheSame)
New_CloseServiceHandle::<lambda_970da0514bb48780f4ab491ae35d1ab7>::operator ()
New_ControlService::<lambda_3a67d91a4d58d5a5f9973332cc17845a>::operator ()
New_ChangeServiceConfig2A::<lambda_ea6c8cbd07995b26c0b4f4bdf41a9eec>::operator ()
New_ChangeServiceConfig2W::<lambda_7699db4edee44d4bdc517357f58c5469>::operator ()
New_CreateServiceW::<lambda_3f35bc08f08e29c08cc15927fa14be0e>::operator ()
New_EnumDependentServicesW::<lambda_d3ae41bf9e6bb651675e34aaedec33cf>::operator ()
New_GetServiceKeyNameA
New_GetServiceKeyNameW::<lambda_4e6abaa4036798190de5775c4655ab22>::operator ()
New_GetServiceDisplayNameW::<lambda_ffab40b5589aea36e04c8eeb200f29e7>::operator ()
New_OpenSCManagerA::<lambda_3336d17add3578c13e96f2f7d6f8955c>::operator ()
New_OpenSCManagerW::<lambda_8e35c84c5aa06bfbf42d9dd088e7deb2>::operator ()
New_OpenServiceA::<lambda_b97463f964eccaa115e19630d7622888>::operator ()
New_OpenServiceW::<lambda_c81d13b389175518747ef8d37997388e>::operator ()
New_QueryServiceConfigA::<lambda_c66a2e8671b6e8be6a7876c9ae62985a>::operator ()
New_QueryServiceConfigW::<lambda_8291269c456187f54a5efb1279a12718>::operator ()
New_QueryServiceConfig2A::<lambda_63ef998ecfe52a4685857151e097b366>::operator ()
New_QueryServiceConfig2W::<lambda_11b7a02fa7740ba9d532bbd26b031ba5>::operator ()
New_QueryServiceStatus::<lambda_9d2cba8ba2120761503ad968ba761364>::operator ()
Call to %s made: Ret: 0x%X, ServiceType: 0x%X, CurrentState: 0x%X, Win32ExitCode: 0x%X, ServiceExitCode: 0x%X.
Calling to %s.
Called to %s made: Ret: 0x%X.
New_StartServiceW::<lambda_7bed74b2d1d41eaf4d731a373c9449fb>::operator ()
CHooker::InterceptAPI32(moduleName, "GetServiceKeyNameA", (PROC)New_GetServiceKeyNameA, (PROC*)&Orig_GetServiceKeyNameA)
CHooker::InterceptAPI32(moduleName, "GetServiceKeyNameW", (PROC)New_GetServiceKeyNameW, (PROC*)&Orig_GetServiceKeyNameW)
\REGISTRY\MACHINE\System\CurrentControlSet\Services\%s
_xvm_mtx_%s_0xX
Failed to create mutex for service: %s.
_xvm_evt_shutdown_%s_0xX
Failed to create shutdown event for service: %s.
_xvm_evt_control_%s_0xX
Failed to create control event for service: %s.
_xvm_evt_controlhandlerabouttobecalled_%s_0xX
_xvm_evt_controlhandlercalled_%s_0xX
_xvm_mem_%s_0x%X
Failed to allocate shared memory for service: %s.
CHooker::InterceptAPI32(L"kernel32.dll", "GetThreadContext", (PROC)New_GetThreadContext, (PROC*)&Orig_GetThreadContext)
CHooker::InterceptAPI32(L"kernel32.dll", "ResumeThread", (PROC)New_ResumeThread, (PROC*)&Orig_ResumeThread)
X.exe
avant.exe
Shim: Translating NtSetInformationProcess response from STATUS_NOT_SUPPORTED to STATUS_SUCCESS. Probably ok.
CCompatibilityShims::IgnoreNtSetInformationProcessErrorsShim
liexplore.exe
sxwmon32.dll
CHooker::InterceptAPI32(L"kernel32.dll", "LoadLibraryExW", (PROC)New_LoadLibraryExW, (PROC*)&Orig_LoadLibraryExW)
Can't get PIMAGE_THUNK_DATA from msi.dll
CCompatibilityShims::HookIATModulesShimIf
w3wp.exe
gCHooker::InterceptAPI32(L"advapi32.dll", "LsaManageSidNameMapping", (PROC)New_LsaManageSidNameMapping, (PROC*)&Orig_LsaManageSidNameMapping)
CHooker::InterceptAPI32(L"advapi32.dll", "LogonUserExW", (PROC)New_LogonUserExW, (PROC*)&Orig_LogonUserExW)
CHooker::InterceptAPI32(L"advapi32.dll", "LogonUserExExW", (PROC)New_LogonUserExExW, (PROC*)&Orig_LogonUserExExW)
CHooker::InterceptAPI32(L"kernel32.dll", "CreateProcessAsUserW", (PROC)New_CreateProcessAsUserW, (PROC*)&Orig_CreateProcessAsUserW)
CHooker::InterceptAPI32(L"advapi32.dll", "CreateProcessAsUserW", (PROC)New_CreateProcessAsUserW, (PROC*)&Orig_CreateProcessAsUserW)
CHooker::InterceptAPI32(L"kernelbase.dll", "CreateNamedPipeW", (PROC)New_CreateNamedPipeW, (PROC*)&Orig_CreateNamedPipeW)
CHooker::InterceptAPI32(L"kernel32.dll", "CreateNamedPipeW", (PROC)New_CreateNamedPipeW, (PROC*)&Orig_CreateNamedPipeW)
CHooker::InterceptAPI32(L"httpapi.dll", "HttpCreateRequestQueue", (PROC)New_HttpCreateRequestQueue, (PROC*)&Orig_HttpCreateRequestQueue)
CHooker::InterceptAPI32(L"httpapi.dll", "HttpSetServerSessionProperty", (PROC)New_HttpSetServerSessionProperty, (PROC*)&Orig_HttpSetServerSessionProperty)
yCHooker::InterceptAPI32(L"httpapi.dll", "HttpSetUrlGroupProperty", (PROC)New_HttpSetUrlGroupProperty, (PROC*)&Orig_HttpSetUrlGroupProperty)
tiworker.exe
_xvm_http_0xXX_0xXX_%s
Potential problem with exceed DirectoryName: %s
HttpSetPropertyHook
CHooker::InterceptAPI32(L"ntdll.dll", "KiUserCallbackDispatcher", (PROC)New_KiUserCallbackDispatcher, (PROC*)&Orig_KiUserCallbackDispatcher)
CCompatibilityShims::PrepareWindowsHookPrevention
sqlservr.exe
CHooker::InterceptAPI32(L"kernelbase.dll", "TlsAlloc", (PROC)New_TlsAlloc, (PROC*)&Orig_TlsAlloc)
CCompatibilityShims::PrepareTlsShimIf
CHooker::InterceptAPI32(L"kernel32.dll", "TlsAlloc", (PROC)New_TlsAlloc, (PROC*)&Orig_TlsAlloc)
CHooker::InterceptAPI32(L"user32.dll", "GetShellWindow", (PROC)New_GetShellWindow, (PROC*)&Orig_GetShellWindow)
CCompatibilityShims::PrepareIeShellWindowShimIf
\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s
CHooker::InterceptAPI32(L"ntdll.dll", "NtAllocateVirtualMemory", (PROC)New_NtAllocateVirtualMemory, (PROC*)&Orig_NtAllocateVirtualMemory)
Unexpected attribs: 0x%X.
CDEPShim::_ConvertPageProtectionsToExecutable
NtQueryVirtualMemory failed in DEP shim unexpectedly: 0x%X.
CDEPShim::_ConvertExistingPageProtectionsToExecutable
Virtual protect failed in DEP shim: 0x%X.
Address overflow or invalid page in DEP shim: 0x%X.
CMsvcrtShim::New__dup
CHooker::InterceptAPI32(L"msvcr110.dll", "_dup", (PROC)New__dup, (PROC*)&Orig__dup)
CMsvcrtShim::HookRequiredApisIf
\StringFileInfo\xx\FileDescription
wixstdba.dll
gdiplus.dll
CCrypt32Shim::New_CryptProtectData::<lambda_9a62782635485ffbed67d26da942b7cc>::operator ()
Unsupported SpoonCrypt32 format
CCrypt32Shim::New_CryptUnprotectData::<lambda_6cd6fff02a74c2953a543651b0fd13ea>::operator ()
CHooker::InterceptAPI32(L"crypt32.dll", "CryptProtectData", (PROC)New_CryptProtectData, (PROC*)&Orig_CryptProtectData)
CHooker::InterceptAPI32(L"crypt32.dll", "CryptUnprotectData", (PROC)New_CryptUnprotectData, (PROC*)&Orig_CryptUnprotectData)
CHooker::InterceptAPI32(L"kernel32.dll", "QueryActCtxWWorker", (PROC)New_QueryActCtxW, (PROC*)&Orig_QueryActCtxW)
CHooker::InterceptAPI32(L"kernel32.dll", "CreateActCtxWWorker", (PROC)New_CreateActCtxW, (PROC*)&Orig_CreateActCtxW)
CHooker::InterceptAPI32(L"kernel32.dll", "QueryActCtxW", (PROC)New_QueryActCtxW, (PROC*)&Orig_QueryActCtxW)
CHooker::InterceptAPI32(L"kernel32.dll", "CreateActCtxW", (PROC)New_CreateActCtxW, (PROC*)&Orig_CreateActCtxW)
%s_0x%s.%d.manifest
%s_0x%s.manifest
Remapping %s under the manifest folder to under starup dir: %s. If active activation context was created outside this location, this remapping will not be correct as this is not yet implemented.
Calling TLS callbacks for module %p with reason %d.
Adding module %p to virtual TLS at index %d.
X-X-X-XX-XXXXXX
Unsupported path format given to Split: %s
VMAPICALL(VmCreateDirectory( &hDir, pwcsLeftPath, FILE_GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, &fCreate, 0))
@SQLXENOCODE@
Error 0x%X from call: %s
W32::SHGetFolderPathW( 0, nFolder, 0, SHGFP_TYPE_CURRENT, sResultPath.GetBuffer(MAX_PATH   1))
{A520A1A4-1780-4FF6-BD18-167343C5AF16}
%COMMONPROGRAMW6432%
%USERPROFILE%
%COMMONPROGRAMFILES%
%COMMONPROGRAMFILES(x86)%
\REGISTRY\USER\%s\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
\REGISTRY\USER\%s\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
\REGISTRY\USER\%s\SOFTWARE\CLASSES\Wow6432Node\%s
\REGISTRY\USER\%s_Classes\%s
\REGISTRY\USER\%s\SOFTWARE\CLASSES\%s
\REGISTRY\USER\%s\SOFTWARE\Wow6432Node\CLASSES\%s
Too many alias mappings have been added. Skipping: %s ==> %s
Adding alias mapping from %s to %s
@APPDIR@ replaced with = %s
@APPDIR@ = %s
\REGISTRY\USER\%s
_SetSpecialFolderPathIfEmpty( CSIDL_WINDOWS, *psReplacement)
@WINDIR@ = %s
@SYSDRIVE@ = %s
@PROGRAMFILESX86@ = %s
@PROGRAMFILESCOMMONX86@ = %s
@SYSWOW64@ = %s
@SYSNATIVE@ = %s
@PROGRAMFILES@ = %s
@PROGRAMFILESCOMMON@ = %s
@SYSTEM@ = %s
@PROFILE@ = %s
@PROFILECOMMON@ = %s
@APPDATA@ = %s
@APPDATALOCAL@ = %s
@APPDATALOCALLOW@ = %s
@STARTMENU@ = %s
@PROGRAMS@ = %s
@STARTUP@ = %s
@TEMPLATES@ = %s
@FAVORITES@ = %s
@DESKTOP@ = %s
@DOCUMENTS@ = %s
@MUSIC@ = %s
@PICTURES@ = %s
@VIDEOS@ = %s
@APPDATACOMMON@ = %s
@STARTMENUCOMMON@ = %s
@PROGRAMSCOMMON@ = %s
@STARTUPCOMMON@ = %s
@DESKTOPCOMMON@ = %s
@TEMPLATESCOMMON@ = %s
@FAVORITESCOMMON@ = %s
@DOCUMENTSCOMMON@ = %s
@MUSICCOMMON@ = %s
@PICTURESCOMMON@ = %s
Got raw folders. Time consumed so far: %d ms.
\REGISTRY\USER\.DEFAULT
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Time Zones
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\ProfileList
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Print
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Ports
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Perflib
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\NetworkCards
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Fonts
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\FontMapper
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontDpi
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\FontDpi
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony\Locations
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Telephony\Locations
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Setup
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Group Policy
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes
\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\SystemCertificates
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\EnterpriseCertificates
\REGISTRY\USER\%s_Classes\Wow6432Node
\REGISTRY\USER\%s\SOFTWARE\CLASSES
\REGISTRY\USER\%s_Classes
Got alternative paths. Time consumed so far: %d ms.
@SQLXENOCODE@ = %s
CFolderMapper::SetSqlInstance
Failed to get name info for alternate mapping. Error: 0x%X, Path: %s
Open file info handle for alternate mapping not found. Error: 0x%X, Path: %s
Failed to open file info handle for alternate mapping. Error: 0x%X, Path: %s
CFolderMapper::_GetDFSSharePathIf
NtQuerySymbolicLinkObject failed (0x%X), using default device path.
NtQuerySymbolicLinkObject failed to get the size (0x%X), using default device path.
NtOpenSymbolicLinkObject failed (0x%X), using default device path.
NtOpenDirectoryObject failed (0x%X), using default device path.
Unexpected NT root for a DFS network share: %s.
Unexpected path: %s
\??\%c:
Currently don't support more than 4 virtual drives. Tried to add %s.
Failed to create directory in CAtomicFile. Path: %s
Failed to get device info for directory containing CAtomicFile. Path: %s
Using non-atomic mechanism for network share to location: %s
Target file is not writable in CAtomicFile. Path: %s
Failed to create tmp file in CAtomicFile. Path: %s
Failed to create file stream in CAtomicFile. Path: %s
Failed to create file section in CAtomicFile. Path: %s
Failed to open file in CAtomicFile. Path: %s
Failed to get file size in CAtomicFile. Path: %s
@APPDIR@\__Xenocode\%s
@PROGRAMFILES@\Xenocode\%s
Unable to load shim %s due to %d
Unable to locate shim %s, export %s due to %d
Unable to modify memory protect flags in CUtil::WriteProtectedMemory, gle: %d
Cross-region protected writes not yet supported
Unable to query memory protect flags in CUtil::WriteProtectedMemory, status: 0x%X
Regular expression matcher failed to parse: %s, Original pattern: %s, Error returned: %n
_pSeqStream->Read( rsString.GetBuffer(cwc), cwc*sizeof(WCHAR), 0)
_pSeqStream->Read( rsString.GetBuffer(cc), cc, 0)
pSeqStream.QueryInterface(&_pBaseStream)
Error mapping view in CNtMapper: 0x%X
Error mapping view in CNaiveNtMapper: 0x%X
Unable to open process 0x%X due to gle: %d.
IStream::CopyTo called with unsupported params
_IterateHelper( eMapperReadAccess, cb.QuadPart, 0, _CopyToData, pstm)
"%s" %s
IsCurrentUserInAdministratorsGroup::<lambda_2179f77a211af9bd662a768caed054fe>::operator ()
Start of diagnostic log for process with command line: %s, current pid: 0x%X
Done Setting some windows apis. Time consumed so far: %d ms.
Got OS info. Time consumed so far: %d ms.
Got parent info. Time consumed so far: %d ms.
Initialized folder mapper. Time consumed so far: %d ms.
11.8.723
Application executing with VM version: %s
CSandbox::FormatSandboxPath( g_vm.GetFolderMapper(), CProcessSettings::SandboxPath(), CProcessSettings::SandboxHash(), CProcessSettings::RegCacheRoot(), CProcessSettings::SpoonCachePath())
Extracted configuration. Time consumed so far: %d ms.
Failed to attach console to parent: %x
Failed to reopen stdout %x
Failed to reopen stderr %x
_folderMapper.MakeNtPath(sCurrentDirectory, sNtCurrentDirectory)
Stubexe module is not a valid NT image! Indicates some sort of application corruption.
CUtil::SetCurrentPosition(_pBootstrapExe, _cbOffsetPayload)
_config.LoadXLayer(eLoadBootstrapSettings, _pBootstrapExe)
_config.LoadXLayer(eLoadSystemLayer, _pBootstrapExe)
Loading /XEntry settings: %s.
_config.LoadXLayer(flags, _pBootstrapExe)
VMAPICALL(VmGetSpecialFolder( CSIDL_SYSTEM, _strSystem32.GetBuffer(cwc), &cwc))
Additional layer path: %s
Loading additional xlayer: %s.
Specified xlayer: %s could not be loaded because of 0x%X.
Didn't find required xlayer %s in default search pattern %s.
Loading /XEntry xlayer: %s.
_config.LoadXLayer(eLoadNonSystemLayers | eLoadEntryLayers, _pBootstrapExe)
Trying to add layer: %s
reader.Init(pStream)
reader.ReadULONG(signature)
Unsupported vm version
reader.ReadULONG(seedOriginal)
reader.ReadULONG(seedDataCompare)
reader.ReadULONG(seedBogusCompare)
reader.ReadULONG(cbFullSizeHashed32)
reader.ReadULONG(cbCompressedSizeHashed32)
reader.ReadULONG(cbFullSizeHashed64)
reader.ReadULONG(cbCompressedSizeHashed64)
reader.ReadULONG(cbFullSizeHashed)
reader.ReadULONG(cbCompressedSizeHashed)
_config.LoadXLayer(loadFlags, pStream)
Failed to add keep-alive notification handle. Gle: %d.
Failed to add reg-flush timer to timer queue. Gle: %d.
Finished extra init. Time consumed so far: %d ms.
ShellExecuteFile( rStartupFile.GetStartupDir(), rStartupFile.GetStartupFile(), L"open", rStartupFile.GetCommandLine(), 0, lastFile ? eWaitForAll : eNoWaitContinue, lastFile)
ShellExecuteFile( CProcessSettings::StartupDir(), CProcessSettings::StartupFile(), CProcessSettings::StartupVerb(), CProcessSettings::CommandLineArguments(), CProcessSettings::CurrentDirectory(), fWaitSetting, TRUE)
CSystemManager::ShellExecuteChildProcess
Launching startup file %s, verb %s, params %s, cur-dir %s, Wait for Return %d
CSystemManager::ShellExecuteFile
ShellExecuteEx failed for file: %s.
Failed to add wait-for-lastproc timer to timer queue. Gle: %d.
_CheckThatStartupExeMatchesStubExe(rfCanRun)
Unable to open file the startup module: %s.
Unable to create secion of startup module: %s.
Unable to map view of startup module: %s.
_folderMapper.MakeNtPath(CProcessSettings::StartupPath(), sNtPathToStartupFile)
CSystemManager::_CheckThatStartupExeMatchesStubExe
Startup file: %s not a real NT Image.
_GetRawImageData(pwcsStartupExe, &pbData, &cbData)
Startup file out-of-range of reserved region in child process: %s.
.local
Font file %s failed to load with error: %d.
Removing IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG entry from startup module %s to match stubexe.
Failed to create process default activation context. Gle: %d
mscoree.dll
Unable to load mscoree.dll due to 0x%X.
Unable to load a dependency module %s to the startup module %s due to error: 0x%X.
Unable to get module fullpath for %s.
Unable to create activation context for module %s.
Unable to located dependency module %s in loader list.
Unable to activate actctx for %s.
Error init tls for module: %s.
_LoadStaticDependenciesRecursive (pLdrData, (PBYTE)hImported, pwcsDllLoadPath)
Unable to deactivate actctx for %s.
Potential TLS leak for module %s!!!
Ordinal: %d
%s:%s
Unable to locate imported method: %s in module: %s while loading startup module: %s.
Activating actctx for: %s
CSystemManager::_ExecuteDllInitRoutinesRecursive
Running entry point with reason %d for: %s
Deactivating actctx for: %s
Any error occured while processing dll-init routines for: %s
Original exe does not have entry point. 0x01 File: %s.
Original exe does not have entry point. 0x02 File: %s.
_folderMapper.MakeNtPath(CProcessSettings::StartupPath(), sNtPathToStartupFile, FALSE)
CSystemManager::PrimeAndRunExe
_LoadStaticDependenciesRecursive(pLdrData, _pbMappedImage, pPeb->ProcessParameters->DllPath.Buffer)
_ExecuteDllInitRoutinesRecursive(DLL_PROCESS_ATTACH)
Had error 0xX in PrimeAndRunExe
OS Information - Version %d.%d.%d, SP: %d.%d, Suite: 0x%X, Platform: 0x%X, ProductType: 0x%X, Text: %s.
Wrapping File handle: 0x%X.
Wrapping Key handle: 0x%X.
CCompatibilityShims::PrepareTlsShimIf(CProcessSettings::StartupFile())
_HookWindowsApis ()
CCompatibilityShims::PrepareWindowsHookPrevention()
CCompatibilityShims::PrepareIeShellWindowShimIf()
Got following current directory from proc: %s
Error opening file to stub exe: %s, error: 0x%X.
CSystemManager::OpenSectionToStubExe
Error opening section to stub exe: %s, error: 0x%X.
spoon.exe
turbo.exe
__xnospawnvm_0x%x
Creating process %s. IsExternal: %d, SpawnVm: %d, AfterExceptionLookup: %d
Module 0x%X, not valid PE when looking for procedure: %s
Called for other process' window (%u) (current process=%u)
Telling the process to exit gracefully (causedByUserAction=%d, isService=%d, isConsoleApp=%d)
In EnumWindows call
ADVAPI32.DLL
COMCTL32.DLL
CRYPT32.DLL
GDI32.DLL
IERTUTIL.DLL
KERNEL32.DLL
KERNELBASE.DLL
MSASN1.DLL
MSVCRT.DLL
NORMALIZ.DLL
NSI.DLL
NTDLL.DLL
OLE32.DLL
OLEAUT32.DLL
RPCRT4.DLL
SECUR32.DLL
SHELL32.DLL
SHLWAPI.DLL
USER32.DLL
URLMON.DLL
WININET.DLL
WS2_32.DLL
WS2HELP.DLL
Found restricted dll %s in system32 or syswow64. We require the startup exe launch in child process.
Setting special directory to merge isolation %s
Setting special registry to writecopy isolation %s
Overridding file isolation for %s to %d
VMAPICALL(VmGetSpecialFolder( CSIDL_WINDOWS, _strVirtualSxsPath.GetBuffer(cwc), &cwc))
Dependant service %s didn't return config with gle: 0x%X.
Dependant service %s didn't return status with gle: 0x%X.
Dependant service %s didn't start with ExitCode: 0x%X, ServiceExitCode: 0x%X.
Dependant service %s didn't start with gle: 0x%X.
Dependant service %s didn't start within 30 seconds. Current state: 0x%X, ExitCode: 0x%X, ServiceExitCode: 0x%X.
Auto-start service %s isn't one of the supported types. Type: 0x%X.
_xvm_evt_startupcompleted_0xX
psapi.dll
goleaut32.dll
rpcrt4.dll
version.dll
comctl32.dll
__VMX_0xX
Failed to fault-in reg key segment. Error: 0x%X, Path: %s
CVmApi::VmCreateKeyEx
Failed to fault-in directory path segment. Error: 0x%X, Path: %s
Unable to delete path %s due to 0x%X
VmGetVolumeInformation failed openeing the file %s: 0x%X
VmGetVolumeInformation failed querying FileFsVolumeInformation for %s: 0x%X
VmGetVolumeInformation failed querying FileFsDeviceInformation for %s: 0x%X
Unable to delete path element %s due to 0x%X
%s\%s
Converting global windows hook to just current thread. Could result application compatibility issues.
New_SetWindowsHookExA
New_SetWindowsHookExW
CSystemManager::_HookWindowsApis
ACHooker::InterceptAPI32(L"user32.dll", "FindWindowA", (PROC)New_FindWindowA, (PROC*)&Orig_FindWindowA)
CHooker::InterceptAPI32(L"user32.dll", "FindWindowW", (PROC)New_FindWindowW, (PROC*)&Orig_FindWindowW)
CHooker::InterceptAPI32(L"user32.dll", "FindWindowExA", (PROC)New_FindWindowExA, (PROC*)&Orig_FindWindowExA)
CHooker::InterceptAPI32(L"user32.dll", "FindWindowExW", (PROC)New_FindWindowExW, (PROC*)&Orig_FindWindowExW)
CHooker::InterceptAPI32(L"user32.dll", "SetWindowTextA", (PROC)New_SetWindowTextA, (PROC*)&Orig_SetWindowTextA)
CHooker::InterceptAPI32(L"user32.dll", "SetWindowTextW", (PROC)New_SetWindowTextW, (PROC*)&Orig_SetWindowTextW)
CHooker::InterceptAPI32(L"user32.dll", "GetWindowTextA", (PROC)New_GetWindowTextA, (PROC*)&Orig_GetWindowTextA)
CHooker::InterceptAPI32(L"user32.dll", "GetWindowTextW", (PROC)New_GetWindowTextW, (PROC*)&Orig_GetWindowTextW)
CHooker::InterceptAPI32(L"user32.dll", "SetWindowsHookExW", (PROC)New_SetWindowsHookExW, (PROC*)&Orig_SetWindowsHookExW)
CHooker::InterceptAPI32(L"user32.dll", "SetWindowsHookExA", (PROC)New_SetWindowsHookExA, (PROC*)&Orig_SetWindowsHookExA)
CHooker::InterceptAPI32(L"user32.dll", "CreateWindowExA", (PROC)New_CreateWindowExA, (PROC*)&Orig_CreateWindowExA)
WCHooker::InterceptAPI32(L"user32.dll", "CreateWindowExW", (PROC)New_CreateWindowExW, (PROC*)&Orig_CreateWindowExW)
CHooker::InterceptAPI32(L"user32.dll", "CreateWindowA", (PROC)New_CreateWindowA, (PROC*)&Orig_CreateWindowA)
CHooker::InterceptAPI32(L"user32.dll", "CreateWindowW", (PROC)New_CreateWindowW, (PROC*)&Orig_CreateWindowW)
\REGISTRY\USER\%s\Environment
pipe
Module 0x%X, not valid PE when looking for RVA: 0x%X
Failed to query existing file information. Error: 0x%X, Path: %s
CNtSystemVirtual::NtCreateNamedPipeFile
.config
Error creating new file for virtual directory rename (0x%x): %s
Error iterating children during virtual directory rename (0x%x): %s
Path skipped during virtual directory move... handled: %d, status: 0x%x, path: %s
Error moving child '%s' to '%s' during virtual directory rename (0x%x)
Error removing old directory during virtual directory rename (0x%x): %s
\shallow\%s_0x%s%s
Shallow path available only for full-iso virtual files: %s
Shallow path unavailable for non-handled path: %s
Couldn't get volume info handle on current drive %s due to error: 0x%X. Using bootstrap path %s instead.
Failed to open volume information handle for virtual file. Error: 0x%X, Path: %s
Faulting in file: %s. Use roaming: %d.
Unexpected path prefix: "%s"
Unable to open file for faulting-in. Error: 0x%X, Path: %s.
Unable to create section of fault-in file. Error: 0x%X, Path: %s.
Unable to read current position when faulting in write-copy file. Might not have permission to get position. Error: 0x%X, Path: %s.
Unexpected error from file stream. Error: 0x%X, Path: %s
Failed to set file stream position. Error: 0x%X, Path: %s
Unable to obtain file stream. Error: 0x%X, Path: %s
Called FindFirstFile with unsupported params. FileHandle: 0x%X, Event: 0x%X, Apc: 0x%X, FileInformationClass: 0x%X, Path: %s.
Very large files not supported. Tried to access: %s.
decompStream.Init (pMemStream)
decryptStream.Init (&decompStream, _seed)
_cacheFileMemory.GetData(item, (void**)&pbData, &cbData)
Corrupt path parts in CRemotedFileObject::Init: %s, %s
Unsupported rename operation
Unsupported RootDir in rename file operation
Unsupported rename file operation: %s
FileFsDriverPathInformation unsupported
Duplicating handle into virtual process %x, obj path %s.
Duplicating handle into a non-virtual process; obj path %s.
We don't expect to not handle a cross-proc duplicated virtual file %s, status: 0x%0X.
We don't expect to not handle a cross-proc duplicated object %s, type: 0x%X.
Dropping NtSetSecurityObject on the floor. Usually not a problem. Use enableLegacySecurityPassthrough="True" otherwise.
Need to implement duplicate handle to another process for %s.
Can only launch 32 and 64bit child process %s in VM.. just launching outside..
\??\@WINDIR@\System32\windowspowershell\v1.0\powershell.exe
\??\@WINDIR@\SysWOW64\windowspowershell\v1.0\powershell.exe
CNtSystemVirtual::NtCompactKeys
CNtSystemVirtual::NtLoadKey
CNtSystemVirtual::NtLoadKey2
CNtSystemVirtual::NtLoadKeyEx
CNtSystemVirtual::NtLockRegistryKey
CNtSystemVirtual::NtQueryOpenSubKeys
CNtSystemVirtual::NtQueryOpenSubKeysEx
CNtSystemVirtual::NtReplaceKey
CNtSystemVirtual::NtRestoreKey
CNtSystemVirtual::NtSaveKey
CNtSystemVirtual::NtSaveKeyEx
CNtSystemVirtual::NtSaveMergedKeys
%UserProfile%
CNtSystemVirtual::NtUnloadKey
CNtSystemVirtual::NtUnloadKey2
CNtSystemVirtual::NtUnloadKeyEx
Failed to open root regkey node. Error: 0x%X, Path: %s
CNtSystemVirtual::FaultInRegKeysIf
Failed to faulted-in value: %s for key: %s. Error: 0x%X
Failed to fault-in key segment. Error: 0x%X, Path: %s
Failed to query existing reg key information. Error: 0x%X, Path: %s
CNtSystemVirtual::AddExistingRegKey
Dropping DesiredAccess from 0x%X to 0x%X for faulting in key %s
CVirtualRegKey::Init
NtRenameKey not implemented for virtual registry keys, Path: %s
CVirtualRegKey::NtRenameKey
Called QueryKey with unsupported class. KeyInformationClass: 0x%X, Length: 0x%X, Path: %s.
CVirtualRegKey::NtQueryKey
Called EnumerateKey with unsupported class. KeyInformationClass: 0x%X, Length: 0x%X, Path: %s.
CVirtualRegKey::_NtEnumerateKeyHelper
Failed to get cached info for %s.
CVirtualRegKey::_CheckCacheValidityUpdateIf
Faulting in cached copy of: %s.
CVirtualRegKey::_lokFaultInSandboxIf
Dropping _DesiredAccess from 0x%X to 0x%X for faulting in %s
Failed to open faulted-in virtual key with desired access. Error: 0x%X, Path: %s
Possible issue with KEY_WOW64_64KEY | KEY_WOW64_32KEY access bits on key: %s. Check if this virtual reg key is merge isolation; try setting to full.
CWriteCopyRegKey::Init
Failed to make path string %s uppercase gle: 0x%X.
Failed to make path string %s lowercase gle: 0x%X.
Faulting in section backed by file: %s. Write operation: %d.
Error mapping in image from stream.. Status: 0x%X.
Failed to set correct protections for image section. Desired access: 0x%X, Address: 0x%X, Size: 0x%X, GLE: %d, Using default.
File %s is not real NT Image.. Status: 0x%X.
NtQueryVirtualMemory with info %d on section %s.
Called NtCreateSection on a non file. Not implemented. FileHandle: 0x%X, Path: %s.
Unsupported call to ChangeServiceConfig2A attempted. We are returning success anyway, but this might cause problems.
Unsupported call to ChangeServiceConfig2W attempted. We are returning success anyway, but this might cause problems.
CNtSystemVirtual::GetServiceKeyNameA
CNtSystemVirtual::GetServiceKeyNameW
Configuration type %d not implemented
Starting service %s with more than %d arguments is not yet implemented.
sc.exe
net.exe
net1.exe
Unable to start msiexec as non-admin
CreateProcessW failed in _LokDoStartService with Gle: %d, Startup: %s, Server: %s
Couldn't convert %s to nt path, will try next layer
Unexpected sxs cache path: %s
Unable to write default manifest file, hr: %x
Commit failed when writing default manifest file, status: %x
Unable to write default manifest file, status: %x
Unsupported manifest flags sent. Flags: 0x%X, ResourceStr: %s, ResourceInt: 0x%X, Path: %s
PIPE
Failure: 0x%X in CEncryptStream::Write, _pBaseStream->Write()
End tag of %s element not found
Expecting end tag of element %s
End tag does not correspond to %s
End tag not completed for element %s
Failure: 0x%X in CDecompressStream::Write, inflate()
Failure: 0x%X in CDecompressStream::Write, _pBaseStream->Write()
Wuser32.dll

%original file name%.exe_2624_rwx_10000000_00001000:

.text
`.rdata
@.data
.rsrc
@.reloc

UltraISO.exe_3304:

.text
.data
.rdata
.idata
.edata
.rsrc
.reloc
.ezbexe
.adata
tVh.Sj
t.hJZ
H~.hKZ
Qh.Dq
t.huZ
TfrmPassword *
TfrmPassword
UfrmPassword
Qh%Cy
Qh.Fy
TtaoExecuteAction
TtaoExecuteActionEvent
OnExecuteAction
%s: %s
TtaoInURL
TtaoInURLNetscape4
TtaoOutURL
TtaoOutURLShortcut
TtaoOutURLShortcutTitle
OLE32.DLL
TtaoOutBiff8d%X
TtaoOutURLx1X
TtaoOutURLShortcutH2X
TtaoOutURLShortcutTitle(3X
TtaoOutURLNetscape4,5X
TtaoOutURLNetscape4
URL=%s
OnKeyDownx#`
OnKeyPress8#`
OnKeyUpd
OnKeyDown
OnKeyPress|.Y
OnKeyUp
ssHorizontal
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
UrlMon
USER32.DLL
MAPI32.DLL
comctl32.dll
ISupportErrorInfo$
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
.Owner
ole32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
kernel32.dll
oleaut32.dll
EVariantBadIndexError
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
olepro32.dll
PasswordChardc]
AutoHotkeys
EInvalidGridOperation
EInvalidGraphicOperation
KeyPreviewx`]
WindowState
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
Proportional
%s%s%s%s%s%s%s%s%s%s
HelpKeywordl
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
msShiftSelect
vsReport
%u8F3
V%t.WJ
]Ph%u
f]%x8
"'.Ax
.wgi*
.KJFg
.NoXp{.O
s9.nZl9
x|$.ue
.qYBD
(2.Eh
k=FTPr
.VW.J
.XPBM
R%U}h
%CSi`
Ms%U\j"@=U]o
m\%X/f*
zh.rR4zh
.xz1X
u*{%f
.yDIs
.OCzb
%s%s%s
&Associate UltraISO with the .iso file extension
Get unlimited E-Mail technical support
Import IML...
&Support Forum
Associate UltraISO with .iso files
Backup Files on Save (.uibak)
Support 'Daylight Saving Time'
Set Password
Set .ISZ as default image format
Generate redundant volume (.ISR)
Remember password
Password Protection
Create checksum file (.SFV)
Standard ISO(.ISO)
BIN (.BIN/.CUE)
Compressed ISO(.ISZ)
Read Error at %d
Master Boot Record file (*.mbr)
*.mbr
Invalid or unsupported partition table.
Are you sure to restore MBR from file '%s' to device %s ?
Partition table will be changed on device '%s', continue to restore ?
Invalid MBR file '%s'.
Are you sure to write %s MBR to device %s ?
Sorry, only a FAT/FAT32 or NTFS volume is supported.
Are you sure to restore boot sector from file '%s' to device %s ?
Invalid Boot Sector file '%s'.
File system will be changed from %s to %s, continue to restore ?
Disk geometry of drive %c: will be changed, continue to restore ?
BPB(BIOS parameter block) of drive %c: will be changed, continue to restore ?
Are you sure to write %s boot sector to device %s ?
%s Boot Sector does not support %s volume.
Not enough space to hold boot sector (%d sectors reserved, %d sectors needed).
Error copying file '%s' to '%s'.
Are you sure to Xpress Write disk image to device %s ?
Are you sure to change partition table of device %s ?
Long Filename Support
Image Size Out of Range (%s)!
Boot Sector: %s
%d Files in %d Folders
Passed
Password
Enter Password:
Password is not identical!
EXE File(*.exe)
*.exe
Standard ISO File (*.iso)
*.iso
Compressed ISO File (*.isz)
*.isz
BIN File (*.bin/*.cue)
*.bin
Nero File (*.nrg)
*.nrg
Alcohol File (*.mdf/*.mds)
*.mdf
CloneCD File (*.img/*.ccd/*.sub)
*.img
Boot Image File (*.bif)
*.bif
Floppy Image File (*.ima;*.img)
*.ima;*.img
Floppy drive %s error!
Floppy drive %s read error!
File '%s' Create Error!
File '%s' Open Error!
File '%s' not found!
File '%s' Exist,Overwrite?
File '%s' Cannot Write, Used by Another Program?
Image File '%s' Read Error!
Image File '%s' Write Error!
Add All Files in Drive %c: ?
Extract All Files from '%s'?
Be Sure to Delete Folder '%s' and Files in It?
Be Sure to Delete File '%s' ?
Be Sure to Delete %d Files Selected?
Be Sure to Move Folder '%s' ?
Be Sure to Move File '%s' ?
Be Sure to Move Selected %d Files?
File Name '%s' Exists!
Folder '%s' rename error!
Can not Create Directory '%s' !
Be Sure to Restore Last Operation?
Not enough free space on drive %c:, continue anyway?
Adding %d Files from %d Folders ...
Optimizing %6.2f%% of %d Files ...
Optimizing %d Files ...
Wrong parameter: '%s'
Image File '%s' Overflow!
Backing up %s ...
ASPI Error -- Couldn't load wnaspi32.dll!
ASPI reported 0 host adapters.
Error calling getASPI32SupportInfo!
File SuperSER.dll not found!
File '%s' read Error!
ISO image '%s' Cannot be added to itself!
File '%s' is not a WAV/MP3 file.
File '%s' is not in Microsoft PCM format.
File '%s' is Üh/Ûits/%skhz,
File viewer '%s' not found.
ISO folder '%s' not found.
Output directory '%s' not found.
CD/DVD image duplicate finished, with '%d' bad sectors encountered.
Directory size: %d KB (%d Files in %d Folders)
Boot files(*.bif;*.ezb;*.ima;*.bin;*.img)
*.bif;*.ezb;*.ima;*.bin;*.img
This Multi-Session/Track CD image will be saved in Nero(.NRG) format.
Found %s.
FAT32 volume does not support image file exceeds 4GB, continue anyway?
Default burning software '%s' not found.
ISO Project File (*.ui)
Unsupported block size, HFS volume will be skipped.
Unsupported start of partition, HFS volume will be skipped.
MD5 Checksum supports data CD/DVD image only!
MD5 Checksum File (*.md5)
*.md5
File '%s' is not in MP3 format.
Image file '%s' is loaded to a virtual CD/DVD drive, unmount it?
Boot Sector (*.bsf)
*.bsf
Please confirm your file renaming operation first.
You need admin privileges to run this operation.
Unsupported UDF volume!
Size of file '%s' exceeds 4GB limit!
Size of file '%s' exceeds 4GB.
Chechsum Verification Passed.
Log File(*.txt)
*.txt
Unsupported Virtual Drive Program!
CRC failed in '%s'!
No errors found during test operation!
Test operation failed!
Disk Image (*.ima;*.img;*.bif;*.flp)
*.ima;*.img;*.bif;*.flp
Compressed Images (*.isz;*.dmg;*.daa;*.uif)
*.isz;*.dmg;*.daa;*.uif
This image is password protected!
File '%s' name changed.
>>New name: '%s'.
WARNING! ALL DATA ON DRIVE %s WILL BE LOST!
Error %d accessing the device.
Error %d writing the device.
Error %d reading the device.
Configuration file '%s' created successfully!
Generating '%s'...
Extracting '%s'...
Copying '%s' to '%s'...
Replacement in file '%s': '%s'->'%s'
Folder renamed: '%s'->'%s'
File skipped: '%s'
Cannot open NeroAPI.DLL
This recorder does not support rewritable discs!
Erasing disc. This will take %d seconds.
Device could not be opened: %s
All Images (*.*)
Number of blocks in ISO image is %d
Requesting burn at %s speed
Media type: %s
Waiting for drive to finalize disc (this may take up to %d minutes)
Success: Finalizing media took %d seconds
Error formatting the %s media
Burn process started, speed is %.1fX (%d KB/s)
Burn process completed, average speed is %.1fX (%d KB/s)
Error verifying free blocks on media (%d needed, %d available)
Total time: %dm%ds
Verify process started, speed is %.1fX (%d KB/s)
Verify process completed, average speed is %.1fX (%d KB/s)
Error importing IML file!
IML files (*.iml)
*.iml
Invalid SYSTEM.CNF file!
IMS file '%s' not found!
Error importing project file!
Mount to drive %c:
Add to '%s.iso'
Compress to '%s.isz'
Extract to folder '%s'
hXXp://VVV.ezbsystems.com
hXXp://VVV.ezbsystems.com/ultraiso
hXXp://VVV.ezbsystems.com/ultraiso/order.htm
hXXp://VVV.ezbsystems.com/easyboot
hXXp://forum.ezbsystems.com
%s\lang\lang_jp.dll
%s\lang\lang_de.dll
%s\lang\lang_fr.dll
%s\lang\lang_it.dll
%s\lang\lang_es.dll
%s\lang\lang_pt.dll
%s\lang\lang_br.dll
%s\lang\lang_nl.dll
%s\lang\lang_se.dll
%s\lang\lang_pl.dll
%s\lang\lang_cz.dll
%s\lang\lang_sk.dll
%s\lang\lang_hu.dll
%s\lang\lang_ru.dll
%s\lang\lang_ua.dll
%s\lang\lang_bg.dll
%s\lang\lang_tr.dll
%s\lang\lang_kr.dll
%s\lang\lang_gr.dll
%s\lang\lang_yu.dll
%s\lang\lang_sr.dll
%s\lang\lang_by.dll
%s\lang\lang_he.dll
%s\lang\lang_dk.dll
%s\lang\lang_no.dll
%s\lang\lang_lv.dll
%s\lang\lang_ar.dll
%s\lang\lang_si.dll
%s\lang\lang_cn.dll
%s\lang\lang_tw.dll
%s\lang\lang_et.dll
%s\lang\lang_ct.dll
%s\lang\lang_fi.dll
%s\lang\lang_mk.dll
%s\lang\lang_hr.dll
%s\lang\lang_ro.dll
%s\lang\lang_lt.dll
%s\lang\lang_ir.dll
%s\lang\lang_vn.dll
%s\lang\lang_my.dll
%s\lang\lang_id.dll
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=jp
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=cn
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=tw
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=cz
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=sk
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=de
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=es
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=fr
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=hu
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=it
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=nl
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=pl
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=pt
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=ru
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=se
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=ua
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=bg
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=tr
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=kr
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=gr
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=yu
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=by
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=he
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=dk
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=no
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=lv
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=ar
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=si
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=et
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=ct
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=fi
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=mk
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=hr
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=ro
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=lt
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=vn
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=my
hXXp://VVV.ezbsystems.com/ultraiso/order.php?uilang=id
Bad string ID: %d
~BI227E.tmp
~BI227F.tmp
*.bin;*.cue
*.mds;*.mdf
*.ashdisc
*.bwt;*.bwi
*.lcd
*.ccd;*.img
*.dvd;*.000
*.daa
*.cdi
*.cif
*.xmf;*.xmd
*.pdi
*.dmg;*.timg;*.hfs
*.ncd
*.pxi
*.rif;*.rdf
*.uif
*.vc4
*.fcd
*.vcd
*.ima;*.bif;*.flp
*.dao;*.tao
*.p01;*.md1;*.xa
*.VaporCD
*.gcd
*.ixa
*.vdi
mycd.iso
.iso;.nrg;.cue
.iso;.c2d;*.cif;.cue
.iso;.cif
.iso;.c2d
.iso;.gi
.iso;.ncd
.iso;.b5t;.ccd;.mds;.cue
.iso;.bwt;.cue
lang_ar.dll
lang_by.dll
Brazilian Portuguese
lang_br.dll
lang_bg.dll
lang_ct.dll
lang_cn.dll
lang_tw.dll
lang_hr.dll
lang_cz.dll
lang_dk.dll
lang_de.dll
lang_es.dll
lang_et.dll
lang_fi.dll
lang_fr.dll
lang_gr.dll
lang_he.dll
lang_hu.dll
lang_id.dll
lang_it.dll
lang_jp.dll
lang_kr.dll
lang_lv.dll
lang_lt.dll
lang_mk.dll
lang_my.dll
lang_nl.dll
lang_no.dll
lang_ir.dll
lang_pl.dll
Portuguese
lang_pt.dll
lang_ro.dll
lang_ru.dll
lang_sr.dll
lang_yu.dll
lang_sk.dll
lang_si.dll
lang_se.dll
lang_tr.dll
lang_ua.dll
lang_vn.dll
-infile "%s" -writeusb
Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\%s
Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\%s
%s\%s
%s - %s
d.daa
d.daa
d.isz
d.isz
Mdd_ddd
UltraISO %s
"%s\UltraISO.exe",0
"%s\UltraISO.exe" "%1"
%s %s
NeroBurn.exe
ISZPassword
ISZKey
foo.txt
Mediad
%s\checklog.txt
%s\backup
1900-01-01 00:00
d:d.d
%d-d-d d:d
%s %d %s, %d GB
%s %d %s, %d MB
%s %d %s, %d KB
%s.uibak
%s(%c:)
%s 0 %s, 0 KB
%s(*.*)
%s/%s
%s\easyboot.exe
C:\Windows\System32\Kernel32.dll
%s\lang\%s
alcoholx.dll
%s\Alcohol Soft\Alcohol 120\alcoholx.dll
%s\UltraISO.chm
&%d %s
(*.wav;*.mp3;*.wma;*.ape)
*.wav;*.mp3;*.wma;*.ape
(*.wav;*.mp3;*.ape)
*.wav;*.mp3;*.ape
(*.wav;*.mp3)
*.wav;*.mp3
(*.*)
EasyCDCreator.DiscImage.6
EasyCDCreator.DiscImage.5
ROXIO.CD.Image
copytocd.exe
%s "%s"
VIDEO_TS.IFO
MP3 Files (*.mp3)
*.mp3
WAV Files (*.wav)
*.wav
SYSTEM.CNF
%d files found (in %d folders) for '%s'
No file was found for '%s'
%s\ultraiso.ini
"Install"="%d"
"Language"="%d"
"SoundEffect"="%d"
"UseSkins"="%d"
"LocalBrowser"="%d"
"ShowCurrentMedia"="%d"
"ISOFolder"="%s"
"SetISOPath"="%d"
"DefViewer"=%s
"SaveFormat"="%d"
"MainLeft"="%d"
"MainTop"="%d"
"MainWidth"="%d"
"MainHeight"="%d"
"LastWinX"="%d"
"LastWinY"="%d"
"LastWinW"="%d"
"LastWinH"="%d"
"HSplitter"="%d"
"VSplitter1"="%d"
"VSplitter2"="%d"
"LastNameW"="%d"
"LastSizeW"="%d"
"LastTypeW"="%d"
"LastNameWL"="%d"
"LastSizeWL"="%d"
"LastTypeWL"="%d"
"UseJoliet"="%d"
"UseUDF"="%d"
"UseHFS"="%d"
"Level2"="%d"
"MaxLength"="%d"
"LowerCase"="%d"
"DOSCharset"="%d"
"Extended"="%d"
"RockRidge"="%d"
"VersionNumber"="%d"
"Optimize"="%d"
"MediaType"="%d"
"Mediad"="%d"
"ISOFilter"="%d"
"VerifyISO"="%d"
"SkipBadSector"="%d"
"SessionSelector"="%d"
"CheckLog"="%d"
"ChecksumFilter"="%d"
"RecompileISO"="%d"
"SaveBackup"="%d"
"GenISOChecksum"="%d"
"GenFileChecksums"="%d"
"AddJoliet"="%d"
"KeepHide"="%d"
"SuperRestore"="%d"
"RecycleBin"="%d"
"SyncConvertDir"="%d"
"DST"="%d"
"ISZDefault"="%d"
"ISZMode"="%d"
"ISZSplit"="%d"
"SplitSize"="%s"
"ISZVolNameStyle"="%d"
"ISZPassword"="%d"
"ISZEncrypt"="%d"
"ISZSFV"="%d"
"ChangeDefSettings"="%d"
"UltraBurn"="%d"
"MaxCacheSize"="%d"
"BurnVerify"="%d"
"VerifyAgainstFile"="%d"
"VerifyOnWrite"="%d"
"FinalizeDisc"="%d"
"LamePreset"="%d"
"LameBitrate"="%d"
"WMABitrate"="%d"
"UseCDText"="%d"
(%c:)%s
Number of text files converted: %d (%d)
mmSSh
mmImportIML
mmExportOptions@
lbRegWebClick
lvISOFileKeyDown
tvISODirKeyDown
tvDiskDirKeyDown
txtDiskCurDirKeyDown
mmImportIMLClick
mmExportOptionsClick
%%/%c
Unable to generate path tables - too many directories (%d).
Internal error - Entry %d not in path tables.
Joliet path table lengths do not match %d expected: %d
Unexpected joliet directory length %d expected: %d '%s'
Error: %s and %s have the same Joliet name
Internal error - Non zero-length file '%s' assigned zero extent.
Hash Entry: %d
%s.i
cronie-1.4.4-7.el6.x86_64.rpm
cronie-anacron-1.4.4-7.el6.x86_64.rpm
ISO image file '%s' size error.
Internal error - could not find directory entry for '%s'
Video pad for file %s is %d
The *.IFO file is bad.
The pad was %d for file %s
Unable to generate path tables - too many directories (%d)
Internal error - entry %d not in path tables
0000000000000000
ddd
00:00:00
d:d:d
frmProgressShow
frmProgressHide
Mddddd
FormKeyDown
9.6.5.3237
%d User License
mailto:support@ezbsystems.com
boot.catalog
%s (%dKB)
%s (%sMB)
Error opening boot image '%s' for read.
Error reading MBR from boot image '%s'.
Boot image '%s' has multiple partitions.
Error - boot image '%s' is not the an allowable size.
Error opening boot image file '%s' for update.
Odd alignment at non-end-of-file in boot image '%s'.
Boot image file '%s' size changed !
boot.loader
TRANS.TBL
%s\mapping.txt
THE ROCK RIDGE INTERCHANGE PROTOCOL PROVIDES SUPPORT FOR POSIX FILE SYSTEM SEMANTICS
FILE "%s" BINARY
PMin=%d
PSec=%d
PFrame=%d
PLBA=%d
Writen %d Sectors ( %dKB Bytes)
%d Sectors Writen ( %dKB Bytes)
TRACK d AUDIO
INDEX 01 d:d:d
TocEntries=%d
[Entry %d]
Point=0xx
[TRACK %d]
INDEX 1=%d
.tar.gz
.ps.gz
MEM_NUM %d, MEM_SIZE %d
%s\lame_enc.dll
%d.%d
LAME_ENC.DLL not found!
Unsupported APE format!
Unsupported WMA format!
Internal error - file '%s' already in hash table.
%s~%c%c%s
%s~%c%c%c%s
%s%c%c%c%s
Internal error - RR overflow for file %s
Unable to sort directory %s
%c %-*s%s
Translation table size mismatch %d %d
./.rr_moved
.rr_moved
INFO.VCD
ENTRIES.VCD
INFO.SVD
ENTRIES.SVD
VIDEO_TS.BUP
VIDEO_TS.VOB
UMD_DATA.BIN
ISOLINUX.BIN
ISOLINUX.CFG
%si
%s (1%i).gi
%s (1_%i).gi
%s.Bi
%s.md%i
%s_%i.ncd
%s.iso.i
%s.nrg.i
%s.xmd
%s.mds
%s.xmf
%s.mdf
%s\uiso.md%d
%s\uiso.md1
%s\uiso.md2
%s\uiso.md3
%s open error.
%s format error.
%s deleted -- '%s' not found.
%s deleted -- '%s' size changed.
%s deleted -- '%s' content changed.
Abnormal file: %s
Abnormal directory: %s
.ASHDISC
Error No: %d
%s (%d)
%d (%s)
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
\\.\PhysicalDrive%d
XX
This disc contains a "UDF" file system and requires an operating system
that supports the ISO-13346 "UDF" file system specification.
README.TXT
ncbLen <= sizeof( mySrb.CDBByte )
D:\My Programs\UltraISO 9.65\cdrom.cpp
%c:\VCD\INFO.VCD
%c:\VCD\ENTRIES.VCD
%c:\SVCD\INFO.SVD
%c:\VCD\ENTRIES.SVD
\\.\%c:
Using capacity reported by TOC: %d(%d)
AUDIO PLAY OPERATION IN PROGRESS
AUDIO PLAY OPERATION PAUSED
AUDIO PLAY OPERATION SUCCESSFULLY COMPLETED
AUDIO PLAY OPERATION STOPPED DUE TO ERROR
LOGICAL UNIT NOT READY, CAUSE NOT REPORTABLE
LOGICAL UNIT NOT READY, INITIALIZING CMD. REQUIRED
LOGICAL UNIT NOT READY, OPERATION IN PROGRESS
MISCOMPARE DURING VERIFY OPERATION
INVALID COMMAND OPERATION CODE
LOGICAL UNIT NOT SUPPORTED
PARAMETER NOT SUPPORTED
THRESHOLD PARAMETERS NOT SUPPORTED
IMPORT OR EXPORT ELEMENT ACCESSED
COPY CANNOT EXECUTE SINCE INITIATOR CANNOT DISCONNECT
INSUFFICIENT TIME FOR OPERATION
CANNOT WRITE MEDIUM . UNSUPPORTED MEDIUM VERSION
UNSUPPORTED ENCLOSURE FUNCTION
SAVING PARAMETERS NOT SUPPORTED
TARGET OPERATING CONDITIONS HAVE CHANGED
CHANGED OPERATING DEFINITION
ERASE FAILURE - INCOMPLETE ERASE OPERATION DETECTED
OPERATOR REQUEST OR STATE CHANGE INPUT
OPERATOR MEDIUM REMOVAL REQUEST
OPERATOR SELECTED WRITE PROTECT
OPERATOR SELECTED WRITE PERMIT
COPY PROTECTION KEY EXCHANGE FAILURE . AUTHENTICATION FAILURE
COPY PROTECTION KEY EXCHANGE FAILURE . KEY NOT PRESENT
COPY PROTECTION KEY EXCHANGE FAILURE .KEY NOT ESTABLISHED
Sense: KEY=x,ASC=x, ASCQ=x
20021225000000
%c:%s
%s\%s.%s
%s\%s.bif
%s\wnaspi32.dll
GetASPI32SupportInfo
HardwareKey
addr:%d Read Error!
Sector: %d Read Error!
addr:%d Read Error, fill with all 0s data!
Sessions=%d
[Session %d]
PreGapMode=%d
Session=%d
ADR=0xx
Control=0xx
TrackNo=%d
AMin=%d
ASec=%d
AFrame=%d
ALBA=%d
Zero=%d
MODE=%d
%s.iso
GETDISK:%d, GETCD:%d, GETCAP:%d, READTOC:%d
GETDISK:%d, GETCAP:%d,READTOC:%d
GETCD:%d, GETCAP:%d, READTOC:%d
GETCAP:%d,READTOC:%d
uikey.ini
ultraiso.ini
%d bytes realloc failed
%d bytes calloc failed
%s, %8.3f seconds
txtUserNameKeyPress
(%c:)
(%c:)%s (%.2f MB
(%c:)%s (%.2f GB
%s\%s.ima
%s\%s.bsf
\\.\vwin32
Windows9x1$
WindowsNT2KXP1(
WindowsVista1,
Windows9x1Click
WindowsNT2KXP1Click
WindowsVista1Click
bootimg-header.bin
bootimg-kernel.bin
bootimg-ramdisk.gz
Trackd.wav
%s PADDING: Ûytes
\\.\ :
$q5c:mo7`9q ~%S
)14>&$':%
UltraISO.exe
.ashdisc
.VaporCD
Ver %d.%d
regsvr32 /s "%s\isoshl64.dll"
regsvr32 /s "%s\isoshell.dll"
regsvr32 /s /u "%s\isoshl64.dll"
regsvr32 /s /u "%s\isoshell.dll"
Nero.BurningROM.12.AutoPlay
Nero.Express.11.AutoPlay
nero.exe
Nero.BurningROM.11.AutoPlay
NeroBurningROM.Files9.nrg
NeroExpress.Files9.nrg
%snero.exe
%s\nero.exe
%Program Files%\Nero\Nero 11\Nero Burning ROM\nero.exe
%Program Files% (x86)\Nero\Nero 11\Nero Burning ROM\nero.exe
RoxioCentral.File
%Program Files%\Roxio 2012\Roxio Central\RoxioCentralFx.exe
%Program Files% (x86)\Roxio 2012\Roxio Central\RoxioCentralFx.exe
giRCCopy.File
%scopytocd.exe
%s\CloneCD.exe
%sImgBurn.exe /MODE WRITE /SOURCE
%s\ImgBurn.exe /MODE WRITE /SOURCE
volname.isz,volname.i01,...
volname.part01.isz,volname.part02.isz,...
volname.part001.isz,volname.part002.isz,...
%s -get_letter scsi,%d
daemon.exe
dtlite.exe
AxCmd.exe
alcohol.exe
AxCmd.exe"
VCDMount.exe
VCDDaemon.exe
VCDMount.exe"
DTProAgent.exe
DTAgent.exe
dtpro.exe
DTProAgent.exe"
DTAgent.exe"
vdrive.exe
%s\Logical Unit Id 0
SYSTEM\CurrentControlSet\Services\%s
SCSI miniport
Scsi Bus 0\%s
%s\vdrive.ini
%s 1: /L
%s -get_count scsi
%s %d: /M:"%s"
%s -mount %d,"%s"
%s -mount scsi, %d,"%s"
%s /M:%d "%s"
%s /d=%d "%s"
%s %d: /U
%s -unmount %d
%s -unmount scsi, %d
%s /U:%d
%s /d=%d /u
%s\AxCmd.exe"
"%s\AxCmd.exe"
%s\VCDMount.exe
"%Program Files%\DAEMON Tools\daemon.exe"
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"%Program Files%\DAEMON Tools Lite\daemon.exe"
"%Program Files% (x86)\DAEMON Tools\daemon.exe"
"%Program Files% (x86)\DAEMON Tools Lite\daemon.exe"
"%Program Files%\DAEMON Tools Lite\dtlite.exe"
"%Program Files% (x86)\DAEMON Tools\dtlite.exe"
"%Program Files% (x86)\DAEMON Tools Lite\dtlite.exe"
"%Program Files%\DAEMON Tools Pro\DTAgent.exe"
"%Program Files% (x86)\DAEMON Tools Pro\DTAgent.exe"
"%Program Files%\DAEMON Tools Pro\DTProAgent.exe"
"%Program Files% (x86)\DAEMON Tools Pro\DTProAgent.exe"
"%Program Files%\DVDFab Virtual Drive\vdrive.exe"
"%Program Files% (x86)\DVDFab Virtual Drive\vdrive.exe"
gbPasswordP
chkISZPasswordT
cbISZPasswordX
btnISZPassword\
chkISZPasswordClick
btnISZPasswordClick
cbISZPasswordChange
txtVCDKeyDown
%s: %s %s
%s\Session%d
password
%d KB
1900-01-01 00:00:00
%d-d-d d:d:d
%d,d,d%s
%d,d%s
d:d.d
id
%s.md5
%s.sfv
%s.txt
# ISO checksum generated by UltraISO (hXXp://VVV.ezbsystems.com)
; ISO checksum generated by UltraISO (hXXp://VVV.ezbsystems.com)
# Generated %d-d-d d:d:d
; Generated %d-d-d d:d:d
File: %s
Size: 0x%xx Bytes
Size: %u Bytes
MD5: %s
%s *%s
CRC-32: %u (0xx)
%s x
CRC-16: %u (0xx)
CRC-CCITT: %u (0xx)
SYSTEM.CNF;1
CDTEXTFILE "%s"
INDEX 00 d:d:d
TRACK d MODE%d/2352
REM SESSION d
%sd0
Session %d
%d MB
Faild to seek VIDEO_TS.IFO
Faild to read VIDEO_TS.IFO
VTS_d_0.IFO
Faild to open %s
DVD file '%s' not found.
Cannot open file %s
Either VIDEO_TS.IFO or VIDEO_TS.VOB is not of correct size
VTS_i_0.IFO
VTS_i_0.IFO appears to be corrupted.
VTS_i_0.VOB
VTS_i_%i.VOB
VTS_i_0.BUP
unable to stat HFS boot file %s
unable to open HFS boot file %s
unable to read HFS boot file %s
%s is not a HFS boot file
unable to seek HFS boot file %s
unable to read HFS boot block %s
%s does not contain a valid boot block
Creating HFS Label %s %s
.finderinfo/
.resource/
.AppleDouble/
.rsrc/
FINDER.DAT
RESOURCE.FRK/
finder.dat
resource.frk/
.HSancillary
.HSResource/
warning: %s doesn't appear to be a %s file
%s doesn't appear to be a %s file
/.AppleDouble/.Parent
.finderinfo
.resource
.ADeskTop
.IDeskTop
.rootinfo
.Desktop
.DeskServer
.Label
.AppleDouble
.AppleDesktop
RESOURCE.FRK
FILEID.DAT
resource.frk
fileid.dat
.HSResource
Name: %s
File type: %s
HFS Name: %s
ISO Name: %s
CREATOR: %s
%s%*s%*1s%c%c%c%c%*1s%*1s%c%c%c%c%*1s
error scanning afpfile %s - continuing
%4s%4s
can't HFS format %s
can't HFS mount %s
HFS scanning %s
can't HFS create file %s
Using HFS name: %s for %s
can't HFS open %s
can't HFS set attributes %s
can't HFS close file %s
can't locate relocated directory %s
can't find directory location %s
can't HFS create folder %s
Blessing %s (%s)
unsupported b*-tree node size
Possible Catalog file overflow - please report error
String too long: %s
uImage Files (*.nrg)
NeroAPI %s %d.%d.%d.%d
Nero.txt
Nerojpn.txt
Nerokor.txt
Nerochs.txt
Nerocht.txt
Nerodeu.txt
Nerofra.txt
Neroesp.txt
Neroita.txt
Neroptg.txt
Neroptb.txt
Neronld.txt
Nerosve.txt
Neroplk.txt
Nerocsy.txt
Nerohun.txt
Nerorus.txt
Neroukr.txt
Nerotrk.txt
Neroell.txt
Nerodan.txt
Neronor.txt
Nerofin.txt
Nerorom.txt
Nerosky.txt
Neroslv.txt
%s\cdrdao.exe
%s\cdrecord.exe
%s\cdburn.exe
%dKB/s
Image.nrg
%dX (%d KB/s)
%d.%dX (%d KB/s)
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Windows
Windows NT
Windows 95
Windows 98
Windows Me
Windows 2000
Windows XP
Windows 2003
Windows Vista
Windows 7
Windows 10
Windows 8.1
Windows 8
%s v%d.%d %s
%s v%d.%d
%s v%d.%d Build %d %s
%s v%d.%d Build %d
Burning feature requires at least Windows 98SE or Windows 2000
%s\cdrecord.exe blank=fast dev=SPTI:%d,%d,%d
%s\cdrecord.exe blank=fast dev=ASPI:%d,%d,%d
%s\cdrdao.exe blank --blank-mode minimal --device SPTI:%d,%d,%d
%s\cdrdao.exe blank --blank-mode minimal --device ASPI:%d,%d,%d
Supported modes
Check hXXp://
%s\dvdburn.exe %c: %s
-speed %d
%s\cdburn.exe %c: %s -sao %s
%s\cdburn.exe %c: %s %s
%s\cdrecord.exe dev=SPTI:%d,%d,%d -v -s -dao speed=%d %s
%s\cdrecord.exe dev=SPTI:%d,%d,%d -v -s -tao speed=%d %s
%s\cdrecord.exe dev=ASPI:%d,%d,%d -v -s -dao speed=%d %s
%s\cdrecord.exe dev=ASPI:%d,%d,%d -v -s -tao speed=%d %s
--speed %d
%s\cdrdao.exe write --device SPTI:%d,%d,%d %s --eject %s
%s\cdrdao.exe write --device ASPI:%d,%d,%d %s --eject %s
LBA: %d
Cache speed: %.1fX(%dKB/s), Read time: %dms
Coding error: unsupported media type %d
Device Buffer: %dKB
(Empty, Free=%d)
(Not Empty=%d, ReWritable)
(Not Empty=%d)
%d# %s
Unexpected sub-directory: '%s'
Unexpected directory length %d expected: %d '%s'
%s\prj_log.txt
Project: %s
%d files not found.
%d KB (
%d/%d
# MD5 checksums generated by UltraISO (hXXp://VVV.ezbsystems.com)
%s %s ('%c' - %s, '%c' - %s, '%c' - %s, '%c' - %s)
%c %s *%s
**[x]
Expected Tag ID of %d, found %d
Expected Tag location of x, read x
Expected Tag checksum of x, computed x
Expected Tag CRC of x, found x
%d sectors did not contain a volume descriptor matching %d
This program can handle %d partitions and the logical volume has %d
Tag CRC length limit is x, found x
NSR descriptor version should be %d, was %d
Expected Allocation Descriptors for %d bytes, found %d
%d Partitions found, Partition Reference Number %d out of range
%d blocks in Partition, Logical Block Number %d out of range
Adjacent Allocation Descriptors found (descriptor for %d)
Expected Serial number of %d, found %d. (disabling reporting)
Disc identification: %s
%s - %s.wav
%s.wav
?456789:;<=
!"#$%&'()* ,-./0123
<key>blkx</key>
<key>Name</key>
Unsupported DMG chunk type: 0x80000004.
1.2.7
inflate 1.2.7 Copyright 1995-2012 Mark Adler
btree_key_by_index: index out of range
btree_key_by_index: off_pos out of range
btree_key_by_index: offset out of range
Invalid key length in record_readkey
Invalid key length in record_writekey
Invalid key length in record_extent_readkey
Invalid key length in record_extent_writekey
Invalid key length in record_thread
Unsupported type for record_init_string()
record_find_key: unexpected error
record_find_key: unexpected empty node
record_init_key: unexpected error
Unexpected Buffer overflow in record_insert %d > %d
! " # $ % & ' ( )
%s:%s
Insert Systemdisk and press any key.
Home page: hXXp://VVV.ultraiso.com
Error loading operating system
Missing operating system
Replace the disk, and then press any key
Press any key to restart
Replace and press any key when ready
press any key to try again...
TCPAu$
TCPA
TCPAf
TCPAu2
Press any key to restart...
/ezboot/bootmenu.ezb
fREItñ
DEFAULT.EZB
Password:
Press any key to
isolinux.cfg
%s.%s
Error allocating memory for FAT (%d bytes needed)
Error allocating memory for backup FAT (%d bytes needed)
Error allocating memory for root entries (%d needed).
Error allocating memory for backup root entries (%d needed).
File creation error: %s
ldlinux.sys
syslinux.cfg
/syslinux.cfg
io.sys
msdos.sys
command.com
ibmbio.com
ibmdos.com
kernel.sys
isolinux.bin
boot.cfg
boot.bin
%s/syslinux/
%c:\boot\syslinux\syslinux.cfg
%c:\syslinux\syslinux.cfg
NTDETECT.COM
SETUPLDR.BIN
TXTSETUP.SIF
EXPLORER.EXE
%s\ldlinux.sys
%c:\boot\syslinux
%c:\syslinux
%c:\boot\isolinux
%c:\isolinux
\ldlinux.sys
CONFIG.SYS
File error: %s
jo.sys
IO.SYS
MSDOS.SYS
COMMAND.COM
IBMBIO.COM
IBMDOS.COM
LDLINUX.SYS
KERNEL.SYS
Directory error: %s
%s\syslinux.cfg
All images (*.iso;*.isz;*.cue;*.mds;*.nrg;*.ccd;*.bwt;*.b5t;*.cdi;*.pdi)
*.iso;*.isz;*.cue;*.mds;*.nrg;*.ccd;*.bwt;*.b5t;*.cdi;*.pdi
Standard ISO images (*.iso)
Compressed ISO images (*.isz)
Cue sheets (*.cue)
*.cue
Media descriptor files (*.mds)
*.mds
Nero images (*.nrg)
CloneCD imahes (*.ccd)
*.ccd
Blindread images (*.bwt)
*.bwt
DiscJuggler images (*.cdi)
Instant CD/DVD images (*.pdi)
All files(*.*)
%s(%c:) - %s
%s(%d:) - %s
%s(%d:)
%c:\%s
%sautorun.inf
explorer.exe /e,/root,%c:\
Sorry, layer %d not supported
Joint-Stereo
MPEG %s, Layer: %s, Freq: %ld, mode: %s, modext: %d, BPF : %d
Channels: %d, copyright: %s, original: %s, CRC: %s, emphasis: %d.
Bitrate: %d Kbits/s, Extension value: %d
joint-stereo
MPEG %s layer %s, %d kbit/s, %ld Hz %s
invalid layer %d
mpg123: Bogus region length (%d)
mpg123: Can't rewind stream by %d bits!
%s\wmvcore.dll
%s\WmAudSDK.dll
WMAUDSDK.DLL not found!
%s\MACDll.dll
MACDLL.DLL not found!
Error opening APE file (error code: %d)
0000000000000000
XDVD Image Total Size: %d
deflate 1.2.7 Copyright 1995-2012 Jean-loup Gailly and Mark Adler
[%d: huff mtf
%d in block, %d after MTF & 1-2 coding, %d 2 syms in use
initial group %d, [%d .. %d], has %d syms (%4.1f%%)
pass %d: size is %d, grp uses are
bytes: mapping %d,
selectors %d,
code lengths %d,
codes %d
block %d: crc = 0xx, combined CRC = 0xx, size = %d
final combined CRC = 0xx
bzip2/libbzip2: internal error number %d.
This is a bug in bzip2/libbzip2, %s.
Please report it to me at: jseward@bzip.org. If this happened
component, you should also report this bug to the author(s)
of that program. Please make an effort to report this bug;
timely and accurate bug reports eventually lead to higher
(VVV.memtest86.com). At the time of writing it is free (GPLd).
{0xx, 0xx}
combined CRCs: stored = 0xx, computed = 0xx
1.0.6, 6-Sept-2010
depth m has
m unresolved strings
qsort [0x%x, 0x%x] done %d this %d
%d pointers, %d sorted, %d scanned
%d work, %d block, ratio %5.2f
.id
.partd.isz
.partd.isz
.part01.isz
.part001.isz
Ant#%d: Reset event failed.
Ant#%d: Set event failed.
!!!Ants#%d: BLOCK=%d
!!!Internal error >>>BUSY=%d/%d, READY=%d
;% 13I64d %d-d-d d:d:d %s
%s X
.dd
lbPassword
txtPassword
txtPasswordKeyPress
txtRetypeKeyPress
%s\iml_log.txt
IML file: %s
CMD ERROR: P1=%s,P2=%s
Error creating file: "%s".
Error opening file: %s.
Error reading file: %s.
Error writing file: %s.
FILE ERROR: LBA=%d,FILE='%s'
>>>%s
\Device\IsoCdRom%d
\\.\IsoCdRom
%c: Length=%d, Status=%d, Device=%d
Trying driver path: %s
%s\drivers\%s.sys
Driver path: %s
Try to load [%s]...
Service [%s] is started.
%s\Device%d
txtFilenameKeyPress
gbPassword,
chkISZPassword0
cbISZPassword4
btnISZPassword8
%s (%c:
%s\boot.ima
MsgWaitToReady
chkISZPassword
cbISZPassword
0xX
%d (0x%x)
%d (%d)
0xX
[DEV] Error reading device at position %d.
You need Windows XP to access this device.
Error %s getting the device geometry.
ZIP mode does not support a partition table.
This program run only in Windows 2000/XP and above.
Error %s accessing this device.
Error %s reading the device.
Error %s writing the device at %d(SetFilePointer).
Error %s writing the device at %d(WriteFile).
Error %s writing the device at %d, %d(%d).
Retry#%d writing at %d (stat=%d)...
Retry#%d reading at %d (stat=%d)...
Error %d reading device at %d for verification.
Repair#%d at %d...
Error verifying device at %d
100.00%%
%c:\%s\NTDETECT.COM
%c:\NTDETECT.COM
%c:\%s\SETUPLDR.BIN
%c:\NTLDR
%c:\%s\EZLDR
%c:\EZLDR
%c:\syslinux.cfg
%c:\%s\syslinux.cfg
%c:%s\syslinux.cfg
>>>C/H/S=%d/%d/%d
C/H/S: %d/%d/%d
%c:\io.sys
%c:\msdos.sys
%c:\command.com
%c:\ibmbio.com
%c:\ibmdos.com
%c:\kernel.sys
%c:\isolinux.cfg
%c:\isolinux\isolinux.cfg
%c:\boot\isolinux\isolinux.cfg
%c:\bootmgr
%c:\PROGRAMS
%c:\*.*
%c:\%s\TXTSETUP.SIF
%c:\%s\EXPLORER.EXE
%c:\WXPE
%c:\WXPE\NTDETECT.COM
%c:\WXPE\SETUPLDR.BIN
%c:\I386
%c:\I386\NTDETECT.COM
%c:\I386\SETUPLDR.BIN
%c:\I386\TXTSETUP.SIF
%s\NTDETECT.COM
%s\SETUPLDR.BIN
%s\isolinux.cfg
%c:\MININT
Windows9x1p
WindowsNT2KXP1t
WindowsVista1x
%d:%d (%c:%s)
%d:%d (%c:)
%d:%d
\Device\Harddisk%d\Partition4
\NeroAPI.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Nero.exe
\DVDR.DLL
NeroImportIsoTrackEx
NeroImportDataTrack
"$"#,##0_);\("$"#,##0\)
"$"#,##0.00_);\("$"#,##0.00\)
_("$"* #,##0_);_("$"* \(#,##0\);_("$"* "-"_);_(@_)
_(* #,##0_);_(* \(#,##0\);_(* "-"_);_(@_)
_("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_)
_(* #,##0.00_);_(* \(#,##0.00\);_(* "-"??_);_(@_)
of %s
- %dGB free
- %dMB free
- %dKB free
- %dGB overload
- %dMB overload
- %dKB overload
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
%s: %s error
d/d/d d:d:d.d
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
_noParam.vt == VT_ERROR
VARIANT.CPP
%s @ %s/%d
%s failed - %s/%d
_empty.vt == VT_EMPTY
vt == rhs.vt
c:\bcb\emuvcl\utilcls.h
Inv(%d) %s, 0x%lX, retVT(0x%X), ErrArg(%d)
Parms.vt == (VT_ARRAY|VT_VARIANT)
ParmTypes.vt == (VT_ARRAY|VT_I4)
%Program Files%\UltraISO
C:\Users\"%CurrentUserName%"\Documents\My ISO Files
%Program Files%\Common Files\EZB Systems
20170916_172057
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Ultra$ISO
C:\Windows\system32\notepad.exe
%Program Files%\UltraISO\checklog.txt
Image Files(*.iso;*.isz;*.bin;*.cue;*.mds;*.mdf;*.nrg;*.ashdisc;*.b6t;*.b6i;*.b5t;*.b5i;*.bwt;*.bwi;*.lcd;*.ccd;*.img;*.dvd;*.000;*.daa;*.cdi;*.cif;*.xmf;*.xmd;*.pdi;*.dmg;*.timg;*.hfs;*.ncd;*.pxi;*.p2i;*.rif;*.rdf;*.gi;*.uif;*.vc4;*.fcd;*.vcd;*.ima;*.bif;*.flp;*.c2d;*.dao;*.tao;*.p01;*.md1;*.xa;*.VaporCD;*.gcd;*.ixa;*.vdi)
*.iso;*.isz;*.bin;*.cue;*.mds;*.mdf;*.nrg;*.ashdisc;*.b6t;*.b6i;*.b5t;*.b5i;*.bwt;*.bwi;*.lcd;*.ccd;*.img;*.dvd;*.000;*.daa;*.cdi;*.cif;*.xmf;*.xmd;*.pdi;*.dmg;*.timg;*.hfs;*.ncd;*.pxi;*.p2i;*.rif;*.rdf;*.gi;*.uif;*.vc4;*.fcd;*.vcd;*.ima;*.bif;*.flp;*.c2d;*.dao;*.tao;*.p01;*.md1;*.xa;*.VaporCD;*.gcd;*.ixa;*.vdi
CDRWin(*.bin;*.cue)
Alcohol 120%(*.mds;*.mdf)
Nero - Burning ROM(*.nrg)
Ashampoo(*.ashdisc)
BlindWrite(*.bwt;*.bwi)
CDSpace(*.lcd)
CloneCD(*.ccd;*.img)
CloneCD 5(*.dvd;*.000)
Direct Access Achive(*.daa)
DiscJuggler(*.cdi)
Easy CD/DVD Creator(*.cif)
GameJack(*.xmf;*.xmd)
InstantCopy(*.pdi)
Mac(*.dmg;*.timg;*.hfs)
NTI CD-Maker(*.ncd)
PlexTools(*.pxi)
PowerDirector(*.rif;*.rdf)
RecordNow(*.gi)
Universal Image Format(*.uif)
Virtual CD(*.vc4)
Virtual CD-ROM(*.fcd)
Virtual Drive(*.vcd)
WinImage(*.ima;*.bif;*.flp)
Duplicator(*.dao;*.tao)
Gear(*.p01;*.md1;*.xa)
Noum Vapor CDROM(*.VaporCD)
Prassi(*.gcd)
Ulead VideoStudio(*.ixa)
Virtuo CD Manager(*.vdi)
All Files(*.*)
C:\Users\"%CurrentUserName%"\Desktop
SETUPAPI.DLL
ADVAPI32.DLL
KERNEL32.DLL
MPR.DLL
VERSION.DLL
COMCTL32.DLL
COMDLG32.DLL
GDI32.DLL
SHELL32.DLL
WINMM.DLL
OLEAUT32.DLL
OLEDLG.DLL
RegCloseKey
RegCreateKeyA
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyA
RegOpenKeyExA
RegQueryInfoKeyA
CreatePipe
GetCPInfo
GetProcessHeap
PeekNamedPipe
WinExec
SetViewportExtEx
SetViewportOrgEx
SHFileOperationA
ShellExecuteA
ShellExecuteExA
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
ExitWindowsEx
GetAsyncKeyState
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardState
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
SetKeyboardState
SetWindowsHookExA
UnhookWindowsHookEx
@$xp$18Taofrmts@TtaoInURL
@$xp$19Taofrmts@TtaoOutURL
@$xp$26Taocntrr@TtaoExecuteAction
@$xp$27Taofrmts@TtaoInURLNetscape4
@$xp$27Taofrmts@TtaoOutURLShortcut
@$xp$28Taofrmts@TtaoOutURLNetscape4
@$xp$31Taocntrr@TtaoExecuteActionEvent
@$xp$32Taofrmts@TtaoOutURLShortcutTitle
@@Ufrmpassword@Finalize
@@Ufrmpassword@Initialize
@TCCalendar@DrawCell$qqriirx11Types@TRect42System@%Set$t14Grids@Grids__3$iuc$0$iuc$2%
@Taocntrr@KeyStateToDropEffect$qqriri
@Taocntrr@TtaoController@AcceptableDataObject$qqrx39System@ÞlphiInterface$t11IDataObjectTaocntrr@TtaoKindoop23Taocntrr@TtaoFormatList
@Taocntrr@TtaoController@DataObject_EnumFormatEtc$qqrr42System@ÞlphiInterface$t14IEnumFORMATETCTaocntrr@TtaoKind
@Taocntrr@TtaoController@DoBeforeLeftButtonDown$qqr46System@%Set$t18Classes@Classes__1$iuc$0$iuc$6%ii
@Taocntrr@TtaoController@DropTarget_DragEnter$qqrx39System@ÞlphiInterface$t11IDataObject%irx12Types@TPointri
@Taocntrr@TtaoController@DropTarget_Drop$qqrx39System@ÞlphiInterface$t11IDataObject%irx12Types@TPointri
@Taocntrr@TtaoController@ExecutePasteSpecial$qqrx39System@ÞlphiInterface$t11IDataObject%
@Taocntrr@TtaoController@LeftButtonDown$qqr46System@%Set$t18Classes@Classes__1$iuc$0$iuc$6%rx12Types@TPoint
@Taocntrr@TtaoController@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Taocntrr@TtaoController@SetData$qqr17Taocntrr@TtaoKindx45System@ÞlphiInterface$t17System@IInterface%rx12Types@TPoint
@Taocntrr@TtaoController@SetOptions$qqrx58System@%Set$t29Taocntrr@TtaoControllerOption$iuc$0$iuc$18%
@Taocntrr@TtaoController@SetScrollDirections$qqrx56System@%Set$t28Taocntrr@TtaoScrollDirection$iuc$0$iuc$3%
@Taocntrr@TtaoFormat@SetMediums$qqrx53System@%Set$t25Taocntrr@TtaoTypeOfMedium$iuc$0$iuc$7%
@Taocntrr@TtaoInCustomFormat@SetData$qqrx39System@ÞlphiInterface$t11IDataObject%
@Taocntrr@TtaoInCustomFormat@SetPasteSpecialFlags$qqrx57System@%Set$t29Taocntrr@TtaoPasteSpecialFlag$iuc$0$iuc$3%
@Taocntrr@TtaoInFormat@SetData$qqrx39System@ÞlphiInterface$t11IDataObject%
@Taocntrr@TtaoOleUIDlg@Execute$qqrv
@Taocntrr@TtaoOutCustomFormat@GetData$qqrx45System@ÞlphiInterface$t17System@IInterface%rx12tagFORMATETCr12tagSTGMEDIUMo
@Taocntrr@TtaoOutFormat@GetData$qqrx45System@ÞlphiInterface$t17System@IInterface%rx12tagFORMATETCr12tagSTGMEDIUMo
@Taocntrr@TtaoPasteSpclDlg@$bctr$qqrp23Taocntrr@TtaoControllerx39System@ÞlphiInterface$t11IDataObject%
@Taocntrr@TtaoPasteSpclDlg@Execute$qqrv
@Taocntrr@TtaoWinControl@DoExecuteAction$qqr26Taocntrr@TtaoExecuteAction
@Taocntrr@TtaoWinControl@SetData$qqr17Taocntrr@TtaoKindx45System@ÞlphiInterface$t17System@IInterface%rx12Types@TPoint
@Taofrmts@QueryPrefferedEffect$qqrp27Taocntrr@TtaoInCustomFormatx39System@ÞlphiInterface$t11IDataObject%
@Taofrmts@SingleCell$qqrx46System@ÞlphiInterface$t18Taofrmts@ItaoCells%
@Taofrmts@TtaoInBiff@Parse$qqrx34System@ÞlphiInterface$t7IStream%
@Taofrmts@TtaoInBiff@SetData$qqrx39System@ÞlphiInterface$t11IDataObject%
@Taofrmts@TtaoInCells@SetData$qqrx39System@ÞlphiInterface$t11IDataObject%
@Taofrmts@TtaoInFileContents@CopyStream$qqrx34System@ÞlphiInterface$t7IStream%
@Taofrmts@TtaoInFileContents@SetData$qqrx39System@ÞlphiInterface$t11IDataObject%
@Taofrmts@TtaoInHDrop@SetData$qqrx39System@ÞlphiInterface$t11IDataObject%
@Taofrmts@TtaoInOEMessage@SetData$qqrx39System@ÞlphiInterface$t11IDataObject%
@Taofrmts@TtaoInShellIDList@SetData$qqrx39System@ÞlphiInterface$t11IDataObject%
@Taofrmts@TtaoInText@SetData$qqrx39System@ÞlphiInterface$t11IDataObject%
@Taofrmts@TtaoInURL@
@Taofrmts@TtaoInURL@$bctr$qqrp18Classes@TComponent
@Taofrmts@TtaoInURL@SetData$qqrx39System@ÞlphiInterface$t11IDataObject%
@Taofrmts@TtaoInURLNetscape4@
@Taofrmts@TtaoInURLNetscape4@$bctr$qqrp18Classes@TComponent
@Taofrmts@TtaoInURLNetscape4@SetData$qqrx39System@ÞlphiInterface$t11IDataObject%
@Taofrmts@TtaoInUnicodeText@SetData$qqrx39System@ÞlphiInterface$t11IDataObject%
@Taofrmts@TtaoOutBiff8@GetData$qqrx45System@ÞlphiInterface$t17System@IInterface%rx12tagFORMATETCr12tagSTGMEDIUMo
@Taofrmts@TtaoOutBiff8@SaveToStream$qqrp15Classes@TStreamx46System@ÞlphiInterface$t18Taofrmts@ItaoCells%
@Taofrmts@TtaoOutCells@GetData$qqrx45System@ÞlphiInterface$t17System@IInterface%rx12tagFORMATETCr12tagSTGMEDIUMo
@Taofrmts@TtaoOutFileContents@GetData$qqrx45System@ÞlphiInterface$t17System@IInterface%rx12tagFORMATETCr12tagSTGMEDIUMo
@Taofrmts@TtaoOutFileDescriptor@GetData$qqrx45System@ÞlphiInterface$t17System@IInterface%rx12tagFORMATETCr12tagSTGMEDIUMo
@Taofrmts@TtaoOutFileNameMap@GetData$qqrx45System@ÞlphiInterface$t17System@IInterface%rx12tagFORMATETCr12tagSTGMEDIUMo
@Taofrmts@TtaoOutHDrop@GetData$qqrx45System@ÞlphiInterface$t17System@IInterface%rx12tagFORMATETCr12tagSTGMEDIUMo
@Taofrmts@TtaoOutPreferredEffect@GetData$qqrx45System@ÞlphiInterface$t17System@IInterface%rx12tagFORMATETCr12tagSTGMEDIUMo
@Taofrmts@TtaoOutRtf@GetString$qqrx45System@ÞlphiInterface$t17System@IInterface%
@Taofrmts@TtaoOutShellIDList@GetData$qqrx45System@ÞlphiInterface$t17System@IInterface%rx12tagFORMATETCr12tagSTGMEDIUMo
@Taofrmts@TtaoOutText@CopyDisplayFormats$qqrx45System@ÞlphiInterface$t17System@IInterface%
@Taofrmts@TtaoOutText@GetData$qqrx45System@ÞlphiInterface$t17System@IInterface%rx12tagFORMATETCr12tagSTGMEDIUMo
@Taofrmts@TtaoOutText@GetString$qqrx45System@ÞlphiInterface$t17System@IInterface%
@Taofrmts@TtaoOutText@GetStringFromCells$qqrx46System@ÞlphiInterface$t18Taofrmts@ItaoCells%
@Taofrmts@TtaoOutURL@
@Taofrmts@TtaoOutURL@$bctr$qqrp18Classes@TComponent
@Taofrmts@TtaoOutURL@GetString$qqrx45System@ÞlphiInterface$t17System@IInterface%
@Taofrmts@TtaoOutURLNetscape4@
@Taofrmts@TtaoOutURLNetscape4@$bctr$qqrp18Classes@TComponent
@Taofrmts@TtaoOutURLNetscape4@GetData$qqrx45System@ÞlphiInterface$t17System@IInterface%rx12tagFORMATETCr12tagSTGMEDIUMo
@Taofrmts@TtaoOutURLShortcut@
@Taofrmts@TtaoOutURLShortcut@$bctr$qqrp18Classes@TComponent
@Taofrmts@TtaoOutURLShortcut@BufferSize$qqrx17System@AnsiString
@Taofrmts@TtaoOutURLShortcut@GetString$qqrx45System@ÞlphiInterface$t17System@IInterface%
@Taofrmts@TtaoOutURLShortcut@StringToBuffer$qqrpvx17System@AnsiStringi
@Taofrmts@TtaoOutURLShortcutTitle@
@Taofrmts@TtaoOutURLShortcutTitle@$bctr$qqrp18Classes@TComponent
@Taofrmts@TtaoOutURLShortcutTitle@GetString$qqrx45System@ÞlphiInterface$t17System@IInterface%
@Taofrmts@TtaoOutURLShortcutTitle@StringToBuffer$qqrpvx17System@AnsiStringi
_frmPassword
/boot/syslinux/syslinux.cfg
this message in error, hold down the Ctrl key while
%$%a%b%V%U%c%Q%W%]%\%[%
%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%
Unknown keyword in configuration file:
Missing parameter in configuration file. Keyword:
Boot failed: please change disks and press a key to continue.
.cbt.bss.bs
.com.c32
message in error, hold down the Ctrl key whilebooting, and I
only support sH
%s^|ctx
llu (%u/
(:,:0:4:8:
u/%d.
hAa%s|u!
N'IOD%x
It appears your computer has only %dK of@
e Ctrl key while
.cfgTof
p(%sQ'D
 !M%uz
c%Utu6
%xK0%1!L
@A.LD
I.IYN.m
k{h.Xgc
!d%%dH`
%X1!v
start = %x, len
:0x%x size d
.ss@AU0
->pvt[%d]: warnN
(C[%s(!#$LCN
MFTp
CHS[x]
N8emX$%UY:$
c.so.12
2key)
Y`SlS'$ P%x
# Mapping file for AppleVolumes.system
.aif Raw 'SCPL' 'AIFF' "SoundApp - AIFF Sound (audio/x-aiff)"
.aifc Raw 'SCPL' 'AIFC' "SoundApp - AIFF Sound Compressed (audio/x-aiff)"
.aiff Raw 'SCPL' 'AIFF' "SoundApp - AIFF Sound (audio/x-aiff)"
.al Raw 'SCPL' 'ALAW' "SoundApp - ALAW Sound"
.ani Raw 'GKON' 'ANIi' "GraphicConverter - Animated NeoChrome"
.apd Ascii 'ALD3' 'TEXT' "Aldus PageMaker - Aldus Printer Description"
.arc Raw 'arc*' 'mArc' "ArcMac - PC ARChive"
.arj Raw 'DArj' 'BINA' "DeArj - ARJ Archive"
.arr Raw 'GKON' 'ARR ' "GraphicConverter - Amber ARR image"
.art Raw 'GKON' 'ART ' "GraphicConverter - First Publisher"
.asc Ascii 'ttxt' 'TEXT' "SimpleText - ASCII Text (text/plain)"
.ascii Ascii 'ttxt' 'TEXT' "SimpleText - ASCII Text (text/plain)"
.asm Ascii 'MPS ' 'TEXT' "MPW Shell - Assembly Source"
.au Raw 'SCPL' 'ULAW' "SoundApp - Sun Sound (audio/basic)"
.avi Raw 'AVIC' 'VfW ' "AVI to QT Utility - AVI Movie (video/avi)"
.backup Raw 'FASL' 'Fra5' "FrameMaker Backup file"
.bar Raw 'S691' 'BARF' "SunTar - Unix BAR Archive"
.bas Ascii 'TBB6' 'TEXT' "TexEdit - BASIC Source"
.bat Ascii 'ttxt' 'TEXT' "SimpleText - MS-DOS Batch File"
.bga Raw 'JVWR' 'BMPp' "JPEGView - OS/2 Bitmap"
.bib Ascii '*TEX' 'TEXT' "Textures - BibTex Bibliography"
.bin Raw 'MB2P' 'BINA' "MacBinary II  - MacBinary (application/macbinary)"
.binary Raw 'hDmp' 'BINA' "HexEdit - Untyped Binary Data (application/octet-stream)"
.bmp Raw 'JVWR' 'BMPp' "JPEGView - Windows Bitmap"
.bok Raw 'FBok' 'Fra5' "FrameMaker Book file"
.boo Ascii 'TBB6' 'TEXT' "TexEdit - BOO encoded"
.book Raw 'FBok' 'Fra5' "FrameMaker Book file"
.bst Ascii '*TEX' 'TEXT' "Textures - BibTex Style"
.bw Raw 'GKON' 'SGI ' "GraphicConverter - SGI Image"
.cgm Raw 'GKON' 'CGMm' "GraphicConverter - Computer Graphics Meta"
.class Raw 'CWIE' 'Clss' "CodeWarrior - Java Class File"
.clp Raw 'GKON' 'CLPp' "GraphicConverter - Windows Clipboard"
.cmd Ascii 'ttxt' 'TEXT' "SimpleText - OS/2 Batch File"
.com Raw 'SWIN' 'PCFA' "SoftWindows - MS-DOS Executable"
.cp Ascii 'CWIE' 'TEXT' "CodeWarrior - C   Source"
.cpp Ascii 'CWIE' 'TEXT' "CodeWarrior - C   Source"
.cpt Raw 'CPCT' 'PACT' "Compact Pro - Compact Pro Archive"
.csv Ascii 'XCEL' 'TEXT' "Excel - Comma Separated Vars"
.ct Raw 'GKON' '..CT' "GraphicConverter - Scitex-CT"
.cut Raw 'GKON' 'Halo' "GraphicConverter - Dr Halo Image"
.cvs Raw 'DAD2' 'drw2' "Canvas - Canvas Drawing"
.dbf Raw 'FOX ' 'COMP' "FoxBase  - DBase Document"
.dcx Raw 'GKON' 'DCXx' "GraphicConverter - Some PCX Images"
.dif Ascii 'XCEL' 'TEXT' "Excel - Data Interchange Format"
.diz Ascii 'TBB6' 'TEXT' "TexEdit - BBS Descriptive Text"
.dl Raw 'AnVw' 'DL ' "MacAnim Viewer - DL Animation"
.dll Raw 'SWIN' 'PCFL' "SoftWindows - Windows DLL"
.doc Raw 'MSWD' 'WDBN' "Microsoft Word - Word Document (application/msword)"
.dot Raw 'MSWD' 'sDBN' "Microsoft Word - Word for Windows Template"
.dvi Raw 'OTEX' 'ODVI' "OzTeX - TeX DVI Document (application/x-dvi)"
.dxf Ascii 'SWVL' 'TEXT' "Swivel Pro - AutoCAD 3D Data"
.eps Raw 'vgrd' 'EPSF' "LaserWriter 8 - Postscript (application/postscript)"
.epsf Raw 'vgrd' 'EPSF' "LaserWriter 8 - Postscript (application/postscript)"
.etx Ascii 'ezVu' 'TEXT' "Easy View - SEText (text/x-setext)"
.evy Raw 'ENVY' 'EVYD' "Envoy - Envoy Document"
.exe Raw 'SWIN' 'PCFA' "SoftWindows - MS-DOS Executable"
.faq Ascii 'TBB6' 'TEXT' "TexEdit - ASCII Text (text/x-usenet-faq)"
.fit Raw 'GKON' 'FITS' "GraphicConverter - Flexible Image Transport (image/x-fits)"
.flc Raw 'AnVw' 'FLI ' "MacAnim Viewer - FLIC Animation"
.fli Raw 'AnVw' 'FLI ' "MacAnim Viewer - FLI Animation"
.fm Raw 'FMPR' 'FMPR' "FileMaker Pro - FileMaker Pro Database"
.fm5 Raw 'FASL' 'Fra5' "FrameMaker Document"
.for Ascii 'MPS ' 'TEXT' "MPW Shell - Fortran Source"
.fts Raw 'GKON' 'FITS' "GraphicConverter - Flexible Image Transport"
.gem Raw 'GKON' 'GEM-' "GraphicConverter - GEM Metafile"
.gif Raw 'JVWR' 'GIFf' "JPEGView - GIF Picture (image/gif)"
.gl Raw 'AnVw' 'GL ' "MacAnim Viewer - GL Animation"
.grp Raw 'GKON' 'GRPp' "GraphicConverter - GRP Image"
.gz Raw 'Gzip' 'Gzip' "MacGzip - Gnu ZIP Archive (application/x-gzip)"
.hcom Raw 'SCPL' 'FSSD' "SoundApp - SoundEdit Sound ex SOX"
.hp Ascii 'CWIE' 'TEXT' "CodeWarrior - C Include File"
.hpgl Raw 'GKON' 'HPGL' "GraphicConverter - HP GL/2"
.hpp Ascii 'CWIE' 'TEXT' "CodeWarrior - C Include File"
.hqx Ascii 'TBB6' 'TEXT' "TexEdit - BinHex (application/mac-binhex40)"
.htm Ascii 'Um
.html Ascii 'Um
.i3 Ascii 'TBB6' 'TEXT' "TexEdit - Modula 3 Interface"
.ic1 Raw 'GKON' 'IMAG' "GraphicConverter - Atari Image"
.ic2 Raw 'GKON' 'IMAG' "GraphicConverter - Atari Image"
.ic3 Raw 'GKON' 'IMAG' "GraphicConverter - Atari Image"
.icn Raw 'GKON' 'ICO ' "GraphicConverter - Windows Icon"
.ico Raw 'GKON' 'ICO ' "GraphicConverter - Windows Icon"
.ief Raw 'GKON' 'IEF ' "GraphicConverter - IEF image (image/ief)"
.iff Raw 'GKON' 'ILBM' "GraphicConverter - Amiga IFF Image"
.ilbm Raw 'GKON' 'ILBM' "GraphicConverter - Amiga ILBM Image"
.image Raw 'dCpy' 'dImg' "DiskCopy - Apple DiskCopy Image"
.img Raw 'GKON' 'IMGg' "GraphicConverter - GEM bit image/XIMG"
.img Raw 'GKON' 'KONT' "GraphicConverter - KONTRON Image"
.ini Ascii 'ttxt' 'TEXT' "SimpleText - Windows INI File"
.java Ascii 'CWIE' 'TEXT' "CodeWarrior - Java Source File"
.jfif Raw 'JVWR' 'JFIF' "JPEGView - JFIF Image"
.jpe Raw 'JVWR' 'JPEG' "JPEGView - JPEG Picture (image/jpeg)"
.jpeg Raw 'JVWR' 'JPEG' "JPEGView - JPEG Picture (image/jpeg)"
.jpg Raw 'JVWR' 'JPEG' "JPEGView - JPEG Picture (image/jpeg)"
.latex Ascii 'OTEX' 'TEXT' "OzTex - Latex (application/x-latex)"
.lbm Raw 'GKON' 'ILBM' "GraphicConverter - Amiga IFF Image"
.lha Raw 'LARC' 'LHA ' "MacLHA - LHArc Archive"
.lis Ascii 'TEXT' 'SAS6' ""
.lst Ascii 'TEXT' 'SPSS' "SPSS"
.lha Raw 'LHA ' 'LARC' "LHArc Archive"
.log Ascii 'TEXT' 'SAS6' ""
.lzh Raw 'LARC' 'LHA ' "MacLHA - LHArc Archive"
.m2 Ascii 'TBB6' 'TEXT' "TexEdit - Modula 2 Source"
.m3 Ascii 'TBB6' 'TEXT' "TexEdit - Modula 3 Source"
.mac Raw 'ttxt' 'PICT' "SimpleText - PICT Picture (image/x-pict)"
.mak Ascii 'TBB6' 'TEXT' "TexEdit - Makefile"
.mcw Raw 'MSWD' 'WDBN' "Microsoft Word - Mac Word Document"
.me Ascii 'ttxt' 'TEXT' "SimpleText - Text Readme"
.med Raw 'SCPL' 'STrk' "SoundApp - Amiga MED Sound"
.mf Ascii '*MF*' 'TEXT' "Metafont - Metafont"
.mid Raw 'ttxt' 'Midi' "SimpleText - MIDI Music"
.midi Raw 'ttxt' 'Midi' "SimpleText - MIDI Music"
.mif Ascii 'Fram' 'TEXT' "FrameMaker - FrameMaker MIF (application/x-mif)"
.mime Ascii 'mPAK' 'TEXT' "Mpack - MIME Message (message/rfc822)"
.ml Ascii 'TBB6' 'TEXT' "TexEdit - ML Source"
.mod Raw 'SCPL' 'STrk' "SoundApp - MOD Music"
.mol Ascii 'RSML' 'TEXT' "RasMac - MDL Molfile"
.moov Raw 'ttxt' 'MooV' "SimpleText - QuickTime Movie (video/quicktime)"
.mov Raw 'ttxt' 'MooV' "SimpleText - QuickTime Movie (video/quicktime)"
.mp2 Raw 'KAU1' 'MPEG' "MPEG/CD - MPEG-1 audiostream (audio/x-mpeg)"
.mp3 Raw 'KAU1' 'MPEG' "MPEG/CD - MPEG-1 audiostream (audio/x-mpeg)"
.mpa Raw 'KAU1' 'MPEG' "MPEG/CD - MPEG-1 audiostream (audio/x-mpeg)"
.mpe Raw 'mMPG' 'MPEG' "Sparkle - MPEG Movie of some sort (video/mpeg)"
.mpeg Raw 'mMPG' 'MPEG' "Sparkle - MPEG Movie of some sort (video/mpeg)"
.mpg Raw 'mMPG' 'MPEG' "Sparkle - MPEG Movie of some sort (video/mpeg)"
.msp Raw 'GKON' 'MSPp' "GraphicConverter - Microsoft Paint"
.mswd Raw 'WDBN' 'MSWD' "Microsoft Word document"
.mtm Raw 'SNPL' 'MTM ' "PlayerPro - MultiMOD Music"
.mw Raw 'MWII' 'MW2D' "MacWrite II - MacWrite Document (application/macwriteii)"
.mwii Raw 'MWII' 'MW2D' "MacWrite II - MacWrite Document (application/macwriteii)"
.neo Raw 'GKON' 'NeoC' "GraphicConverter - Atari NeoChrome"
.nfo Ascii 'ttxt' 'TEXT' "SimpleText - Info Text (application/text)"
.nst Raw 'SCPL' 'STrk' "SoundApp - MOD Music"
.o Raw 'SWIN' 'PCFL' "SoftWindows - Object (DOS/Windows)"
.obj Raw 'SWIN' 'PCFL' "SoftWindows - Object (DOS/Windows)"
.oda Raw 'ODA ' 'ODIF' "MacODA XTND Translator - ODA Document (application/oda)"
.okt Raw 'SCPL' 'OKTA' "SoundApp - Oktalyser MOD Music"
.out Raw 'hDmp' 'BINA' "HexEdit - Output File"
.ovl Raw 'SWIN' 'PCFL' "SoftWindows - Overlay (DOS/Windows)"
.pac Raw 'GKON' 'STAD' "GraphicConverter - Atari STAD Image"
.pas Ascii 'CWIE' 'TEXT' "CodeWarrior - Pascal Source"
.pbm Raw 'GKON' 'PPGM' "GraphicConverter - Portable Bitmap (image/x-pbm)"
.pbm Raw 'GKON' 'PPGM' "GraphicConverter - Portable Bitmap (image/x-portable-bitmap)"
.pc1 Raw 'GKON' 'Dega' "GraphicConverter - Atari Degas Image"
.pc2 Raw 'GKON' 'Dega' "GraphicConverter - Atari Degas Image"
.pc3 Raw 'GKON' 'Dega' "GraphicConverter - Atari Degas Image"
.pcs Raw 'GKON' 'PICS' "GraphicConverter - Animated PICTs"
.pct Raw 'ttxt' 'PICT' "SimpleText - PICT Picture (image/x-pict)"
.pcx Raw 'GKON' 'PCXx' "GraphicConverter - PC PaintBrush"
.pdb Ascii 'RSML' 'TEXT' "RasMac - Brookhaven PDB file"
.pdf Raw 'CARO' 'PDF ' "Acrobat Reader - Portable Document Format (application/pdf)"
.pdx Ascii 'ALD5' 'TEXT' "PageMaker - Printer Description"
.pgm Raw 'GKON' 'PPGM' "GraphicConverter - Portable Graymap (image/x-pgm)"
.pgm Raw 'GKON' 'PPGM' "GraphicConverter - Portable Graymap (image/x-portable-graymap)"
.pi1 Raw 'GKON' 'Dega' "GraphicConverter - Atari Degas Image"
.pi2 Raw 'GKON' 'Dega' "GraphicConverter - Atari Degas Image"
.pi3 Raw 'GKON' 'Dega' "GraphicConverter - Atari Degas Image"
.pic Raw 'ttxt' 'PICT' "SimpleText - PICT Picture (image/x-pict)"
.pict Raw 'ttxt' 'PICT' "SimpleText - PICT Picture (image/x-macpict)"
.pit Raw 'SITx' 'PIT ' "StuffIt Expander - PackIt Archive"
.pkg Raw 'GEOL' 'HBSF' "AppleLink - AppleLink Package"
.pl Ascii 'McPL' 'TEXT' "MacPerl - Perl Source"
.plt Raw 'GKON' 'HPGL' "GraphicConverter - HP GL/2"
.pm Raw 'GKON' 'PMpm' "GraphicConverter - Bitmap from xv"
.pm3 Raw 'ALD3' 'ALB3' "PageMaker - PageMaker 3 Document"
.pm4 Raw 'ALD4' 'ALB4' "PageMaker - PageMaker 4 Document"
.pm5 Raw 'ALD5' 'ALB5' "PageMaker - PageMaker 5 Document"
.png Raw 'GKON' 'PNG ' "GraphicConverter - Portable Network Graphic"
.pntg Raw 'GKON' 'PNTG' "GraphicConverter - Macintosh Painting"
.por Raw 'SPOR' 'SPSS' ""
.ppd Ascii 'ALD5' 'TEXT' "PageMaker - Printer Description"
.ppm Raw 'GKON' 'PPGM' "GraphicConverter - Portable Pixmap (image/x-ppm)"
.ppm Raw 'GKON' 'PPGM' "GraphicConverter - Portable Pixmap (image/x-portable-pixmap)"
.prn Ascii 'TBB6' 'TEXT' "TexEdit - Printer Output File"
.ps Ascii 'vgrd' 'TEXT' "LaserWriter 8 - PostScript (application/postscript)"
.psd Raw '8BIM' '8BPS' "Photoshop - PhotoShop Document"
.pt4 Raw 'ALD4' 'ALT4' "PageMaker - PageMaker 4 Template"
.pt5 Raw 'ALD5' 'ALT5' "PageMaker - PageMaker 5 Template"
.pxr Raw '8BIM' 'PXR ' "Photoshop - Pixar Image"
.qdv Raw 'GKON' 'QDVf' "GraphicConverter - QDV image"
.qt Raw 'ttxt' 'MooV' "SimpleText - QuickTime Movie (video/quicktime)"
.qxd Raw 'XPR3' 'XDOC' "QuarkXpress - QuarkXpress Document"
.qxt Raw 'XPR3' 'XTMP' "QuarkXpress - QuarkXpress Template"
.ram Ascii '????' 'TEXT' "Unknown - Real Audio (audio/x-pn-realaudio)"
.raw Raw 'GKON' 'BINA' "GraphicConverter - Raw Image"
.readme Ascii 'TBB6' 'TEXT' "TexEdit - Text Readme (application/text)"
.rgb Raw 'GKON' 'SGI ' "GraphicConverter - SGI Image (image/x-rgb)"
.rgba Raw 'GKON' 'SGI ' "GraphicConverter - SGI Image (image/x-rgb)"
.rib Ascii 'RINI' 'TEXT' "Renderman - Renderman 3D Data"
.rif Raw 'GKON' 'RIFF' "GraphicConverter - RIFF Graphic"
.rle Raw 'GKON' 'RLE ' "GraphicConverter - RLE image"
.rme Ascii 'ttxt' 'TEXT' "SimpleText - Text Readme"
.rpl Raw 'REP!' 'FRL!' "Replica - Replica Document"
.rsc Raw 'RSED' 'rsrc' "ResEdit - Resource File"
.rsrc Raw 'RSED' 'rsrc' "ResEdit - Resource File"
.rtf Ascii 'MSWD' 'TEXT' "Microsoft Word - Rich Text Format (application/rtf)"
.rtx Ascii 'TBB6' 'TEXT' "TexEdit - Rich Text (text/richtext)"
.sas Ascii 'TEXT' 'SAS6' ""
.scc Raw 'GKON' 'MSX ' "GraphicConverter - MSX pitcure"
.scg Raw 'GKON' 'RIX3' "GraphicConverter - ColoRIX"
.sci Raw 'GKON' 'RIX3' "GraphicConverter - ColoRIX"
.scp Raw 'GKON' 'RIX3' "GraphicConverter - ColoRIX"
.scr Raw 'GKON' 'RIX3' "GraphicConverter - ColoRIX"
.sct Raw 'SCHT' 'SPSS' "SPSS"
.scu Raw 'GKON' 'RIX3' "GraphicConverter - ColoRIX"
.sea Raw '????' 'APPL' "Self Extracting Archive - Self-Extracting Archive"
.sf Raw 'SDHK' 'IRCM' "SoundHack - IRCAM Sound"
.sgi Raw 'GKON' 'SGI ' "GraphicConverter - SGI Image"
.sha Ascii 'UnSh' 'TEXT' "UnShar - Unix Shell Archive (application/x-shar)"
.shar Ascii 'UnSh' 'TEXT' "UnShar - Unix Shell Archive (application/x-shar)"
.shp Raw 'GKON' 'SHPp' "GraphicConverter - Printmaster Icon Library"
.sit Raw 'SIT!' 'SITD' "StuffIt - StuffIt Archive"
.sithqx Ascii 'TBB6' 'TEXT' "TexEdit - BinHexed StuffIt Archive (application/mac-binhex40)"
.six Raw 'GKON' 'SIXE' "GraphicConverter - SIXEL image"
.slk Ascii 'XCEL' 'TEXT' "Excel - SYLK Spreadsheet"
.snd Raw 'SCPL' 'BINA' "SoundApp - Sound of various types"
.spc Raw 'GKON' 'Spec' "GraphicConverter - Atari Spectrum 512"
.spo Raw 'SOUT' 'SPSS' "SPSS"
.sps Ascii 'TEXT' 'SPSS' "SPSS"
.sr Raw 'GKON' 'SUNn' "GraphicConverter - Sun Raster Image"
.sty Ascii '*TEX' 'TEXT' "Textures - TeX Style"
.sun Raw 'GKON' 'SUNn' "GraphicConverter - Sun Raster Image"
.sup Raw 'GKON' 'SCRN' "GraphicConverter - StartupScreen"
.svx Raw 'SCPL' '8SVX' "SoundApp - Amiga IFF Sound"
.syk Ascii 'XCEL' 'TEXT' "Excel - SYLK Spreadsheet"
.sylk Ascii 'XCEL' 'TEXT' "Excel - SYLK Spreadsheet"
.tar Raw 'S691' 'TARF' "SunTar - Unix Tape ARchive (application/x-tar)"
.targa Raw 'GKON' 'TPIC' "GraphicConverter - Truevision Image"
.taz Raw 'SITx' 'ZIVU' "StuffIt Expander - Compressed Tape ARchive (application/x-compress)"
.tex Ascii 'OTEX' 'TEXT' "OzTeX - TeX Document (application/x-tex)"
.texi Ascii 'OTEX' 'TEXT' "OzTeX - TeX Document"
.texinfo Ascii 'OTEX' 'TEXT' "OzTeX - TeX Document (application/x-texinfo)"
.text Ascii 'ttxt' 'TEXT' "SimpleText - ASCII Text (text/plain)"
.tga Raw 'GKON' 'TPIC' "GraphicConverter - Truevision Image"
.tgz Raw 'Gzip' 'Gzip' "MacGzip - Gnu ZIPed Tape ARchive (application/x-gzip)"
.tif Raw 'JVWR' 'TIFF' "JPEGView - TIFF Picture (image/tiff)"
.tiff Raw 'JVWR' 'TIFF' "JPEGView - TIFF Picture (image/tiff)"
.tny Raw 'GKON' 'TINY' "GraphicConverter - Atari TINY Bitmap"
.tsv Ascii 'XCEL' 'TEXT' "Excel - Tab Separated Values (text/tab-separated-values)"
.tx8 Ascii 'ttxt' 'TEXT' "SimpleText - 8-bit ASCII Text"
.txt Ascii 'ttxt' 'TEXT' "SimpleText - ASCII Text (text/plain)"
.ul Raw 'SCPL' 'ULAW' "SoundApp - Mu-Law Sound (audio/basic)"
.url Raw 'Arch' 'AURL' "Anarchie - URL Bookmark (message/external-body)"
.uu Ascii 'TBB6' 'TEXT' "TexEdit - UUEncode"
.uue Ascii 'TBB6' 'TEXT' "TexEdit - UUEncode"
.vff Raw 'GKON' 'VFFf' "GraphicConverter - DESR VFF Greyscale Image"
.vga Raw 'JVWR' 'BMPp' "JPEGView - OS/2 Bitmap"
.voc Raw 'SCPL' 'VOC ' "SoundApp - VOC Sound"
.w51 Raw 'WPC2' '.WP5' "WordPerfect - WordPerfect PC 5.1 Doc (application/wordperfect5.1)"
.wav Raw 'SCPL' 'WAVE' "SoundApp - Windows WAV Sound (audio/x-wav)"
.wk1 Raw 'XCEL' 'XLBN' "Excel - Lotus Spreadsheet r2.1"
.wks Raw 'XCEL' 'XLBN' "Excel - Lotus Spreadsheet r1.x"
.wmf Raw 'GKON' 'WMF ' "GraphicConverter - Windows Metafile"
.wp Raw 'WPC2' '.WP5' "WordPerfect - WordPerfect PC 5.1 Doc (application/wordperfect5.1)"
.wp4 Raw 'WPC2' '.WP4' "WordPerfect - WordPerfect PC 4.2 Doc"
.wp5 Raw 'WPC2' '.WP5' "WordPerfect - WordPerfect PC 5.x Doc (application/wordperfect5.1)"
.wp6 Raw 'WPC2' '.WP6' "WordPerfect - WordPerfect PC 6.x Doc"
.wpg Raw 'GKON' 'WPGf' "GraphicConverter - WordPerfect Graphic"
.wpm Raw 'WPC2' 'WPD1' "WordPerfect - WordPerfect Mac"
.wri Raw 'MSWD' 'WDBN' "Microsoft Word - MS Write/Windows"
.wve Raw 'SCPL' 'BINA' "SoundApp - PSION sound"
.x10 Raw 'GKON' 'XWDd' "GraphicConverter - X-Windows Dump (image/x-xwd)"
.x11 Raw 'GKON' 'XWDd' "GraphicConverter - X-Windows Dump (image/x-xwd)"
.xbm Raw 'GKON' 'XBM ' "GraphicConverter - X-Windows Bitmap (image/x-xbm)"
.xbm Raw 'GKON' 'XBM ' "GraphicConverter - X-Windows Bitmap (image/x-xbitmap)"
.xl Raw 'XCEL' 'XLS ' "Excel - Excel Spreadsheet"
.xlc Raw 'XCEL' 'XLC ' "Excel - Excel Chart"
.xlm Raw 'XCEL' 'XLM ' "Excel - Excel Macro"
.xls Raw 'XCEL' 'XLS ' "Excel - Excel Spreadsheet"
.xlw Raw 'XCEL' 'XLW ' "Excel - Excel Workspace"
.xm Raw 'SNPL' 'XM ' "PlayerPro - FastTracker MOD Music"
.xpm Raw 'GKON' 'XPM ' "GraphicConverter - X-Windows Pixmap (image/x-xpm)"
.xpm Raw 'GKON' 'XPM ' "GraphicConverter - X-Windows Pixmap (image/x-xpixmap)"
.xwd Raw 'GKON' 'XWDd' "GraphicConverter - X-Windows Dump (image/x-xwd)"
.zip Raw 'ZIP ' 'ZIP ' "PC ZIP Archive"
#* Raw 'WAPP' 'DATA' "Windows application data file"
0 00 11 AUDIO PLAY OPERATION IN PROGRESS
0 00 12 AUDIO PLAY OPERATION PAUSED
0 00 13 AUDIO PLAY OPERATION SUCCESSFULLY COMPLETED
0 00 14 AUDIO PLAY OPERATION STOPPED DUE TO ERROR
2 04 00 LOGICAL UNIT NOT READY, CAUSE NOT REPORTABLE
2 04 02 LOGICAL UNIT NOT READY, INITIALIZING CMD. REQUIRED
2 04 07 LOGICAL UNIT NOT READY, OPERATION IN PROGRESS
A 1D 00 MISCOMPARE DURING VERIFY OPERATION
5 20 00 INVALID COMMAND OPERATION CODE
5 25 00 LOGICAL UNIT NOT SUPPORTED
5 26 01 PARAMETER NOT SUPPORTED
5 26 03 THRESHOLD PARAMETERS NOT SUPPORTED
6 28 01 IMPORT OR EXPORT ELEMENT ACCESSED
5 2B 00 COPY CANNOT EXECUTE SINCE INITIATOR CANNOT DISCONNECT
6 2E 00 INSUFFICIENT TIME FOR OPERATION
2 30 11 CANNOT WRITE MEDIUM . UNSUPPORTED MEDIUM VERSION
F 35 01 UNSUPPORTED ENCLOSURE FUNCTION
5 39 00 SAVING PARAMETERS NOT SUPPORTED
6 3F 00 TARGET OPERATING CONDITIONS HAVE CHANGED
6 3F 02 CHANGED OPERATING DEFINITION
3 51 01 ERASE FAILURE - INCOMPLETE ERASE OPERATION DETECTED
6 5A 00 OPERATOR REQUEST OR STATE CHANGE INPUT
6 5A 01 OPERATOR MEDIUM REMOVAL REQUEST
6 5A 02 OPERATOR SELECTED WRITE PROTECT
6 5A 03 OPERATOR SELECTED WRITE PERMIT
5 6F 00 COPY PROTECTION KEY EXCHANGE FAILURE . AUTHENTICATION FAILURE
5 6F 01 COPY PROTECTION KEY EXCHANGE FAILURE . KEY NOT PRESENT
5 6F 02 COPY PROTECTION KEY EXCHANGE FAILURE .KEY NOT ESTABLISHED
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
333330303030333333
323332929239323
)"")"")#3232
239329332323232
332323232
"#323232329
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
KeyPreview
support@ezbsystems.com
Version 7.2.3.882
Picture.Data
Items.Strings
Glyph.Data
Nero (.NRG)
CDRWin (.BIN/.CUE)
CloneCD (.IMG/.CCD/.SUB)
Alcohol (.MDF/.MDS)
frmMain.ilstStatus
)volname.part01.isz,volname.part02.isz,...
 volname.part001.isz,volname.part002.isz,...
gbPassword
Set password
btnISZPassword
c:\program files\UltraISO
Backup files on save (.uibak)
MD5 (.md5)
CRC-32 (.sfv)
CRC-16 (.txt)
c:\windows\system32\notepad.exe
?? (??) - ????
5"%Program Files%\Alcohol Soft\Alcohol 120\AxCmd.exe"
Set .ISZ as the default format
Enter password:
PasswordChar
OnKeyPress
Change default password
Windows9x1
Windows 9x
WindowsNT2KXP1
Windows NT/2K/XP
WindowsVista1
Windows Vista/7/8
Icon.Data
Bitmap.Data
Import IML ...
mmExportOptions
Export Options...
Support Forum
Formats.Default
frmPassword
Windows/Unix(31)
&Get unlimited E-Mail technical support
Windows XP/2K/NT
Windows 10/8.1/8/7/Vista
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
setupapi.dll
advapi32.dll
mpr.dll
version.dll
comdlg32.dll
gdi32.dll
shell32.dll
winmm.dll
oledlg.dll
version="5.1.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<== :;<2;<=5<=>7=>>!=>>
204~98;*
-2] * #,##0.00; [$
-2] * -#,##0.00
#,##0.00 [$
y.yTy
DRM_KeySeed
DRM_KeyID
DRM_LicenseAcqURL
DRM_V1LicenseAcqURL
DRM_HeaderSignPrivKey
DRM_LASignaturePrivKey
DRM_LASignatureCert
DRM_LASignatureLicSrvCert
DRM_LASignatureRootCert
WM/PromotionURL
WM/AlbumCoverURL
BannerImageURL
CopyrightURL
WM/AuthorURL
WM/UserWebURL
WM/AudioFileURL
WM/AudioSourceURL
WM/InitialKey
_ISVBRSUPPORTED
_PASSESUSED
Print.redbook
Transfer.SDMI
Transfer.NONSDMI
BaseLAURL
ActionAllowed.Play
ActionAllowed.Print.redbook
ActionAllowed.Transfer.SDMI
ActionAllowed.Transfer.NONSDMI
ActionAllowed.Backup
LicenseStateData.Play
LicenseStateData.Print.redbook
LicenseStateData.Transfer.SDMI
LicenseStateData.Transfer.NONSDMI
DRMHeader.KID
DRMHeader.LAINFO
DRMHeader.CID
DRMHeader.SECURITYVERSION
DRMHeader.ContentDistributor
DRMHeader.SubscriptionContentID
76=<98'&
TFRMPASSWORD
!"#$%&'()* ,-./0123456789:
Error setting %s.Count8Listbox (%s) style must be virtual in order to set Count
Value must be between %d and %d
Invalid clipboard format Clipboard does not support Icons
Text exceeds memo capacity/Menu '%s' is already being used by another form
Invalid input value7Invalid input value. Use escape key to abandon changes
 Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'
%s property out of range
Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
Failed to set object at index %d<MultiLine must be True when TabPosition is tpLeft or tpRight
Invalid ownerE%d is an invalid PageIndex value. PageIndex must be between 0 and %d=This control requires version 4.70 or greater of COMCTL32.DLL
Date exceeds maximum of %s
Date is less than minimum of %s4You must be in ShowCheckbox mode to set to this date#Failed to set calendar date or timeúiled to set maximum selection range$Failed to set calendar min/max rangeúiled to set calendar selected range0Tab position incompatible with current tab style0Tab style incompatible with current tab position
Failed to clear tab control Failed to delete tab at index %d"Failed to retrieve tab at index %d Failed to get object at index %d"Failed to set tab "%s" at index %d
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation!Invalid variant operation ($%.8x)
Invalid NULL variant operation5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
Invalid pointer operation
%s expected Too many rows or columns deleted$%s not in a class registration group
Property %s does not exist
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value!'%s' is not a valid date and time
Line too long List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
%s on line %d
Error reading %s%s%s: %s
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file %s1Fixed column count must be less than column count Fixed row count must be less than row count
Grid too large for operation
Invalid stream format$''%s'' is not a valid component name
<Invalid coordinate, Col=%d, Row=%d, ColCount=%d, RowCount=%d
Wrong BIFF version6BIFF record %d bytes in length exceeds buffer capacity
Property "%s" not found"Unable to find a Table of Contents
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Ancestor for '%s' not found
Cannot assign a %s to a %s
''%s'' expectedECheckSynchronize called from thread $%x, which is NOT the main thread
ultraiso.exe

UltraISO.exe_3304_rwx_00400000_00001000:

.text
.data
.rdata
.idata
.edata
.rsrc
.reloc
.ezbexe
.adata

UltraISO.exe_3304_rwx_00EE0000_001C8000:

.text
`.data
.reloc
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
Visual C   CRT: Not enough memory to complete call to strerror.
Operation not permitted
Inappropriate I/O control operation
Broken pipe
GetProcessWindowStation
operator
\x86\VmX.dll
publicKeyToken=
<?xml version="1.0" encoding="utf-8"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly>
%s_%s@%s
VmApi.proto
c:\bamboo-home\xml-data\build-dir\spoonvm-vm-job1\vm\vm\VmApi.pb.cc
Spoon.Vm"c
RuntimePortMapping
original_port
mapped_port
RuntimePortMappings
port_mappings
.Spoon.Vm.RuntimePortMapping"G
.Spoon.Vm.RuntimeObjectMapping"
.Spoon.Vm.RuntimePortMapping
.Spoon.Vm.RuntimeObjectMapping"?
.Spoon.Vm.SandboxProcessInfo"8
.Spoon.Vm.RuntimeNetworkHost
\windowclassexception.txt
inflate 1.2.3 Copyright 1995-2005 Mark Adler
1.2.3
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
Start of stream log for process with command line: %s, current pid: 0x%X
%s %I64d
d/d/%d d:d:d
Microsoft Windows NT %d.%d.%d
{"timestamp":"%s","process":"%s","pid":%d,"platform":"%s","cpu":"%s","message":"%s"}
NtCreateNamedPipeFile
NtAlpcCreatePort
NtCreatePort
NtAlpcConnectPort
NtSecureConnectPort
Microsoft Windows Network
HttpAddUrl
HttpRemoveUrl
HttpAddUrlToUrlGroup
HttpRemoveUrlFromUrlGroup
HttpTerminate
HttpReceiveHttpRequest
HttpSendHttpResponse
HttpSendResponseEntityBody
ShellExecuteExA
ShellExecuteExW
ShellExecuteA
ShellExecuteW
NtCompactKeys
NtCompressKey
NtCreateKey
NtDeleteKey
NtDeleteValueKey
NtEnumerateKey
NtEnumerateValueKey
NtFlushKey
NtLoadKey
NtLoadKey2
NtLoadKeyEx
NtLockRegistryKey
NtNotifyChangeKey
NtNotifyChangeMultipleKeys
NtOpenKey
NtOpenKeyEx
NtQueryKey
NtQueryMultipleValueKey
NtQueryOpenSubKeys
NtQueryOpenSubKeysEx
NtQueryValueKey
NtRenameKey
NtReplaceKey
NtRestoreKey
NtSaveKey
NtSaveKeyEx
NtSaveMergedKeys
NtSetInformationKey
NtSetValueKey
NtUnloadKey
NtUnloadKey2
NtUnloadKeyEx
GetServiceKeyNameA
GetServiceKeyNameW
kernel32.dll
ieframe.dll
msi.dll
kernelbase.dll
advapi32.dll
LogonUserExExW
CreateNamedPipeW
HttpCreateRequestQueue
HttpSetServerSessionProperty
HttpSetUrlGroupProperty
msvcr110.dll
.xtlsmal
%x_%p.tls
_CorExeMain
rpcrt4
SetWindowsHookExW
EnumWindows
RemoveWindowSubclass
SetWindowSubclass
SetWindowsHookExA
..\src\google\protobuf\message_lite.cc
CHECK failed: !coded_out.HadError():
%d.%d.%d
[libprotobuf %s %s:%d] %s
..\src\google\protobuf\message.cc
CHECK failed: (from.GetDescriptor()) == (descriptor):
: Tried to copy from a message with a different type.to:
..\src\google\protobuf\io\coded_stream.cc
..\src\google\protobuf\descriptor.cc
$0$1 $2 $3 = $4
$0$1 = $2
". To use it here, please add the necessary import.
", which is not imported by "
.placeholder.proto
.PLACEHOLDER_VALUE
.dummy
File recursively imports itself:
Missing field: FileDescriptorProto.name.
Import "
FieldDescriptorProto.extendee not set for extension field.
FieldDescriptorProto.extendee set for non-extension field.
Files that do not use optimize_for = LITE_RUNTIME cannot import files which do use this option. This file is not lite, but it imports "
map_key must not name a repeated field.
map key must name a scalar or string field.
" is repeated. Repeated options are not supported.
CHECK failed: !out.HadError():
.foo = value".
CHECK failed: dynamic.get() != NULL:
..\src\google\protobuf\generated_message_reflection.cc
CHECK failed: (field->options().ctype()) == (ctype):
..\src\google\protobuf\wire_format.cc
..\src\google\protobuf\wire_format_lite.cc
CHECK failed: value.size() <= kint32max:
..\src\google\protobuf\reflection_ops.cc
..\src\google\protobuf\io\zero_copy_stream_impl_lite.cc
CHECK failed: backup_bytes_ == 0 && buffer_.get() != NULL:
..\src\google\protobuf\stubs\strutil.cc
..\src\google\protobuf\io\zero_copy_stream_impl.cc
google/protobuf/descriptor.proto
..\src\google\protobuf\descriptor.pb.cc
google/protobuf/descriptor.proto
google.protobuf"G
2$.google.protobuf.FileDescriptorProto"
2 .google.protobuf.DescriptorProto
2$.google.protobuf.EnumDescriptorProto
2'.google.protobuf.ServiceDescriptorProto
2%.google.protobuf.FieldDescriptorProto
.google.protobuf.FileOptions
.google.protobuf.SourceCodeInfo"
2/.google.protobuf.DescriptorProto.ExtensionRange
.google.protobuf.MessageOptions
2 .google.protobuf.FieldDescriptorProto.Label
2*.google.protobuf.FieldDescriptorProto.Type
.google.protobuf.FieldOptions"
2).google.protobuf.EnumValueDescriptorProto
.google.protobuf.EnumOptions"l
2!.google.protobuf.EnumValueOptions"
2&.google.protobuf.MethodDescriptorProto
.google.protobuf.ServiceOptions"
.google.protobuf.MethodOptions"
2).google.protobuf.FileOptions.OptimizeMode:
2$.google.protobuf.UninterpretedOption":
2$.google.protobuf.UninterpretedOption*
2#.google.protobuf.FieldOptions.CType:
experimental_map_key
2$.google.protobuf.UninterpretedOption"/
2-.google.protobuf.UninterpretedOption.NamePart
2(.google.protobuf.SourceCodeInfo.Location
com.google.protobufB
Invalid file descriptor data passed to EncodedDescriptorDatabase::Add().
..\src\google\protobuf\descriptor_database.cc
..\src\google\protobuf\dynamic_message.cc
..\src\google\protobuf\stubs\substitute.cc
..\src\google\protobuf\text_format.cc
..\src\google\protobuf\io\tokenizer.cc
Tokenizer::ParseFloat() passed text that could not have been tokenized as a float:
Tokenizer::ParseInteger() passed text that could not have been tokenized as an integer:
\Ux
Tokenizer::ParseStringAppend() passed text that could not have been tokenized as a string:
..\src\google\protobuf\extension_set_heavy.cc
..\src\google\protobuf\extension_set.cc
CHECK failed: iter != extensions_.end():
C:\bamboo-home\xml-data\build-dir\SPOONVM-VM-JOB1\vm\Build\Output\x86\Vm.pdb
j.Yf;
_tcPVj@
.PjRW
uùQ
PSSSSSSh
HHt.Whp
8.uQj
8.uNj
CallNamedPipeW
WaitNamedPipeW
GetConsoleOutputCP
GetSystemWindowsDirectoryW
KERNEL32.dll
GetCPInfo
GetProcessHeap
Vm.dll
zcÁ
.rsrc
@.reloc
C:\bamboo-home\xml-data\build-dir\SPOONVM-VM-JOB1\vm\Build\Output\x86\StubExe.pdb
<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
7 7$7(7,7074787<7
.pdata
@.rsrc
C:\bamboo-home\xml-data\build-dir\SPOONVM-VM-JOB1\vm\Build\Output\x64\StubExe.pdb
.?AVRuntimePortMappings@Vm@Spoon@@
.?AVRuntimePortMapping@Vm@Spoon@@
.?AVIExportedInteface@@
.?AV?$_Ref_count@VHttpVHost@CHttpSrv@@@std@@
.?AV?$_Ref_count_obj@VHttpServer@CHttpSrv@@@std@@
.?AV?$_Ref_count_obj@VHttpRequest@CHttpSrv@@@std@@
.?AV?$_Ref_count_obj@VHttpVHost@CHttpSrv@@@std@@
.?AV?$CComObjectNoLock@VCFullIsolationRegKey@@@ATL@@
.?AV?$CComObjectNoLock@VCWriteCopyRegKey@@@ATL@@
.?AV?$CComObjectNoLock@VCMergedRegKey@@@ATL@@
.?AVCMergedRegKey@@
.?AVCWriteCopyRegKey@@
.?AVCFullIsolationRegKey@@
.?AVCVirtualRegKey@@
%Program Files%\UltraISO\UltraISO.exe
: :$:(:,:0:4:
= =$=(=,=0=4=8=<=
X:\:`:d:
24686<6@6
?$?4?8?<?@?
5 5$5(5,50545|6
1\1c1k1p1t1x1
4@4U4
>">(>.>4>
9'979^9{9
4*494>4{4
?'?-?:?{?
?*?7?@?\?
01080?0^0
3!3&33383
8Œ8T8e8
5 5W5F5K5Z5
5 6h6C6M6R6W6|6
0"1*141~1
7 99V9[9j9J:i:s:
11D1I1X1
7%7X7
0 0<0@0\0`0
?$?@?\?|?
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
portuguese-brazilian
Unsupported number of container links
_vmapi_network_config_0x%s
0x%X,
tntdll.dll
CHooker::InterceptAPI32(L"ntdll.dll", "NtSetSecurityObject", (PROC)New_NtSetSecurityObject, (PROC*)&Orig_NtSetSecurityObject)
In call: %s
nCHooker::InterceptAPI32(L"ntdll.dll", "NtQueryInformationToken", (PROC)New_NtQueryInformationToken, (PROC*)&Orig_NtQueryInformationToken)
CHooker::InterceptAPI32(L"kernel32.dll", "CheckElevationEnabled", (PROC)New_CheckElevationEnabled, (PROC*)&Orig_CheckElevationEnabled)
CHooker::InterceptAPI32(L"kernelbase.dll", "CheckTokenMembership", (PROC)New_CheckTokenMembership, (PROC*)&Orig_CheckTokenMembership)
CHooker::InterceptAPI32(L"advapi32.dll", "CheckTokenMembership", (PROC)New_CheckTokenMembership, (PROC*)&Orig_CheckTokenMembership)
CHooker::InterceptAPI32(L"advapi32.dll", "AccessCheck", (PROC)New_AccessCheck, (PROC*)&Orig_AccessCheck)
CHooker::InterceptAPI32(L"advapi32.dll", "CreateProcessWithLogonW", (PROC)New_CreateProcessWithLogonW, (PROC*)&Orig_CreateProcessWithLogonW)
sechost.dll
CHooker::InterceptAPI32(L"sechost.dll", "OpenSCManagerA", (PROC)New_OpenSCManagerA, (PROC*)&Orig_OpenSCManagerA)
CHooker::InterceptAPI32(L"advapi32.dll", "OpenSCManagerA", (PROC)New_OpenSCManagerA, (PROC*)&Orig_OpenSCManagerA)
CHooker::InterceptAPI32(L"sechost.dll", "OpenSCManagerW", (PROC)New_OpenSCManagerW, (PROC*)&Orig_OpenSCManagerW)
CHooker::InterceptAPI32(L"advapi32.dll", "OpenSCManagerW", (PROC)New_OpenSCManagerW, (PROC*)&Orig_OpenSCManagerW)
CHooker::InterceptAPI32(L"sechost.dll", "CloseServiceHandle", (PROC)New_CloseServiceHandle, (PROC*)&Orig_CloseServiceHandle)
CHooker::InterceptAPI32(L"advapi32.dll", "CloseServiceHandle", (PROC)New_CloseServiceHandle, (PROC*)&Orig_CloseServiceHandle)
shlwapi.dll
Error loading shlwapi.dll
CHooker::InterceptAPI32(L"shlwapi.dll", "SHCreateThreadWithHandle", (PROC)New_SHCreateThreadWithHandle, (PROC*)&Orig_SHCreateThreadWithHandle)
file %s doesn't exist
CheckElevation(%s) failed with %d code
CElevationShims::New_CheckTokenMembership::<lambda_02604bca4152832ac92161eb66d89101>::operator ()
Raising RID from 0x%X to 0x%X
CElevationShims::New_NtQueryInformationToken::<lambda_7138ae5cd59c00b0ddad740776ba328b>::operator ()
CElevationShims::New_CheckElevationEnabled::<lambda_74f8b737e8a0ad075cd7549e1a56f389>::operator ()
CElevationShims::New_CreateProcessWithLogonW::<lambda_44da3b8934051cdff68cff1e918167cf>::operator ()
lpPassword
CElevationShims::New_AccessCheck::<lambda_3d186265a1d26201aa12b26b7ba50047>::operator ()
CElevationShims::New_SHCreateThreadWithHandle::<lambda_96d358581dd50ead34ca9bfc5406fb91>::operator ()
user32.dll
Error loading user32.dll
CHooker::InterceptAPI32(L"user32.dll", "AddClipboardFormatListener", (PROC)New_AddClipboardFormatListener, (PROC*)&Orig_AddClipboardFormatListener)
CHooker::InterceptAPI32(L"user32.dll", "ChangeClipboardChain", (PROC)New_ChangeClipboardChain, (PROC*)&Orig_ChangeClipboardChain)
CHooker::InterceptAPI32(L"user32.dll", "CloseClipboard", (PROC)New_CloseClipboard, (PROC*)&Orig_CloseClipboard)
CHooker::InterceptAPI32(L"user32.dll", "CountClipboardFormats", (PROC)New_CountClipboardFormats, (PROC*)&Orig_CountClipboardFormats)
CHooker::InterceptAPI32(L"user32.dll", "EmptyClipboard", (PROC)New_EmptyClipboard, (PROC*)&Orig_EmptyClipboard)
CHooker::InterceptAPI32(L"user32.dll", "EnumClipboardFormats", (PROC)New_EnumClipboardFormats, (PROC*)&Orig_EnumClipboardFormats)
CHooker::InterceptAPI32(L"user32.dll", "GetClipboardData", (PROC)New_GetClipboardData, (PROC*)&Orig_GetClipboardData)
CHooker::InterceptAPI32(L"user32.dll", "GetClipboardFormatNameA", (PROC)New_GetClipboardFormatNameA, (PROC*)&Orig_GetClipboardFormatNameA)
CHooker::InterceptAPI32(L"user32.dll", "GetClipboardFormatNameW", (PROC)New_GetClipboardFormatNameW, (PROC*)&Orig_GetClipboardFormatNameW)
CHooker::InterceptAPI32(L"user32.dll", "GetClipboardOwner", (PROC)New_GetClipboardOwner, (PROC*)&Orig_GetClipboardOwner)
CHooker::InterceptAPI32(L"user32.dll", "GetClipboardSequenceNumber", (PROC)New_GetClipboardSequenceNumber, (PROC*)&Orig_GetClipboardSequenceNumber)
CHooker::InterceptAPI32(L"user32.dll", "GetClipboardViewer", (PROC)New_GetClipboardViewer, (PROC*)&Orig_GetClipboardViewer)
CHooker::InterceptAPI32(L"user32.dll", "GetOpenClipboardWindow", (PROC)New_GetOpenClipboardWindow, (PROC*)&Orig_GetOpenClipboardWindow)
CHooker::InterceptAPI32(L"user32.dll", "GetPriorityClipboardFormat", (PROC)New_GetPriorityClipboardFormat, (PROC*)&Orig_GetPriorityClipboardFormat)
CHooker::InterceptAPI32(L"user32.dll", "GetUpdatedClipboardFormats", (PROC)New_GetUpdatedClipboardFormats, (PROC*)&Orig_GetUpdatedClipboardFormats)
CHooker::InterceptAPI32(L"user32.dll", "IsClipboardFormatAvailable", (PROC)New_IsClipboardFormatAvailable, (PROC*)&Orig_IsClipboardFormatAvailable)
CHooker::InterceptAPI32(L"user32.dll", "OpenClipboard", (PROC)New_OpenClipboard, (PROC*)&Orig_OpenClipboard)
CHooker::InterceptAPI32(L"user32.dll", "RegisterClipboardFormatA", (PROC)New_RegisterClipboardFormatA, (PROC*)&Orig_RegisterClipboardFormatA)
CHooker::InterceptAPI32(L"user32.dll", "RegisterClipboardFormatW", (PROC)New_RegisterClipboardFormatW, (PROC*)&Orig_RegisterClipboardFormatW)
CHooker::InterceptAPI32(L"user32.dll", "RemoveClipboardFormatListener", (PROC)New_RemoveClipboardFormatListener, (PROC*)&Orig_RemoveClipboardFormatListener)
CHooker::InterceptAPI32(L"user32.dll", "SetClipboardData", (PROC)New_SetClipboardData, (PROC*)&Orig_SetClipboardData)
CHooker::InterceptAPI32(L"user32.dll", "SetClipboardViewer", (PROC)New_SetClipboardViewer, (PROC*)&Orig_SetClipboardViewer)
\%s.lnk
ERROR: <%s> is missing from string table
W@APPDIR@\__Xenocode\x86\vmx.dll
Unable to load vmx.dll due to %d
Unable to locate vmx.dll export %s due to %d
CUtil::GetShimMethod(sShimName, "OnInitialize", (PVOID *)&fnOnInititialize)
%ComSpec%
/c start %s
DoPassiveDrmIf
g_vm.EssentialInit( hEntry, hBootstrapFileMapping, cbFileSize, cbOffsetPayload, pbProcessBlock, pbApplicationBlock)
xclog_0x%x.txt
g_vm.ExtraInit()
xcstream_0x%x.txt
@APPDIR@\__Xenocode\Branding.bmp
@PROGRAMFILES@\Xenocode\Branding.bmp
DoBranding( hEntry, sImagePath, CProcessSettings::StartupPath(), g_vm.GetLicenseeName(), g_vm.GetBrandingTextColor())
DoPassiveDrmIf()
@APPDIR@\__Xenocode\Splash.bmp
@PROGRAMFILES@\Xenocode\Splash.bmp
DoSplash(sImagePath, g_vm.SplashTransparent(), g_vm.SplashDisplaySeconds())
g_vm.StartDependencies()
g_vm.RunShotgunApps()
g_vm.CanRunInBootstrap(fCanRun)
g_vm.PrimeAndRunExe()
g_vm.ShellExecuteChildProcess()
%s %s (0x%X)
hr: %x
\x86\vm.dll
Process %d (0x%X) '%s' started in debug mode.
Click 'Ok' to continue using specified vm.dll or 'Cancel' to use embedded vm.
Didn't find local vm.dll, using embedded.
%u.%u.%u.%u
.manifest
No child layer in %s.
\pipe\
\??\pipe\
New_NetLocalGroupAdd::<lambda_4f6516e028a32fffa0bed2ff8184ea49>::operator ()
New_NetLocalGroupAddMembers::<lambda_32f8d4017faa09f568026cc9125ec9f3>::operator ()
Fallback virtual %s service account to NT Service
New_LookupAccountNameA::<lambda_c4ab36f356eb2d9314c1499a4f3090a2>::operator ()
New_LookupAccountNameW::<lambda_ef7eec37a16d650a71dc61cd0d9a62e5>::operator ()
netapi32.dll
Error loading netapi32.dll
CHooker::InterceptAPI32(L"netapi32.dll", "NetLocalGroupAdd", (PROC)New_NetLocalGroupAdd, (PROC*)&Orig_NetLocalGroupAdd)
sCHooker::InterceptAPI32(L"netapi32.dll", "NetLocalGroupAddMembers", (PROC)New_NetLocalGroupAddMembers, (PROC*)&Orig_NetLocalGroupAddMembers)
Error loading advapi32.dll
CHooker::InterceptAPI32(L"advapi32.dll", "LookupAccountNameW", (PROC)New_LookupAccountNameW, (PROC*)&Orig_LookupAccountNameW)
CHooker::InterceptAPI32(L"advapi32.dll", "LookupAccountNameA", (PROC)New_LookupAccountNameA, (PROC*)&Orig_LookupAccountNameA)
_ConnectNamedPipe(s_hFeedbackPipe, CProcessSettings::NotificationFlagSet(eSendProcessNotifications))
Unable add _ExecuteCommand notification handle.
\\.\pipe\_xmgr_%s
Unable to open named pipe for feedback...
CClientSync::_ConnectNamedPipe
_SendMessageOverPipe(rh, (PVOID)&msg, sizeof(msg))
_xmgr_%s_mem_xlayerinfo_0xX
Unable to map view of sman-specified XLayer info: %s.
Invalid required xlayer mapping in sman-specified XLayer info: %s.
Unable to open specified xLayer: %s.
Unable to create mapping of specified xLayer: %s.
Unable to write message over pipe.
CClientSync::_SendMessageOverPipe
\*-x86.dll
CHttpSrv: bad url regexp
CHttpSrv::prepareUrlRE
CHttpSrv findFreeTcpPort failed: couldn't create socket. WsaGle:%d, Gle:0x%X
CHttpSrv::findFreeTcpPort
CHttpSrv findFreeTcpPort failed: couldn't bind
CHttpSrv findFreeTcpPort failed: couldn't retrieve port number
CHttpSrv::HttpAddUrl
CHttpSrv %s: invalid url: %s
CHttpSrv TODO: HttpReceiveHttpRequest synchronous requests are not supported yet
CHttpSrv::HttpReceiveHttpRequest
CHttpSrv _reCookUrl: invalid url: %s
CHttpSrv::_reCookUrl
CHttpSrv getnameinfo: got unexpected port %d (hostPort should be %d)
CHttpSrv::getnameinfo
Regular expression matcher failed to parse: %s, Error returned: %n
%s%s%s
_X
Found one-time handle: 0x%X, for path: %s.
\REGISTRY\USER\%s\Software\Spoon\SandboxCache
NT::RtlConvertSidToUnicodeString( &usSidString, pTokenUser->User.Sid, TRUE)
_pipe_
0xXX
_xvm_mem_sandbox_info_%s
_xvm_mtx_sandbox_info_%s
Two applications using same sandbox at the same time with different settings. Unexpected results would occur, thus failing fast: Existing Bootstrap: %s, This Bootstrap: %s, Existing EntrySvm: %s, This EntrySvm: %s.
_xvm_mtx_sentinel_%s
_xvm_mtx_servicesentinel_%s
_xvm_evt_notification_%s
GetModuleFileNameW failed for main exe
Exceeded duplicate handle space, procInfoVer: %d, cwcPath: %d, countDups: %d.
Can't create process information memory with status: 0x%X.
Can't create process information with status: 0x%X.
Failed to VirtualAllocEx for target process. Status: 0x%X, Size returned is: 0x%X.
Unable to get info for virtual-proc candidate: 0x%X, peb: 0x%X
Can't create process information object with gle: 0x%X.
Can't map process information object with gle: 0x%X.
Can't create injected process information object with gle: 0x%X.
Can't map injected process information object with gle: 0x%X.
_vmapi_pids_sandbox_0x%s
_vmapi_pids_sandbox_0xXX
Someone wants SACL portion of security descriptor, but we don't have that
Unexpected error from MakeSelfRelativeSD: %d
NtCreateFile failed: 0x%X
NtWriteFile failed: 0x%X
NtClose failed: 0x%X
tDumpStdin: %s
rTruncStdStreams: %d
\stubexe\0xXX\%s
CreateStubExe(rSettings, rsStubExePath)
CStubexe::EnsureStubExe
CAtomicFile::InitForWrite( sStubExePath, cbStubExe, &pStmFile)
CStubexe::CreateStubExe
pStmFile->GetMappedView((PVOID*)&pbStubExe)
ws2_32.dll
Can't get ws2_32.dll handle
WSAStartup failed with error code %d
New_WSAStartup::<lambda_e60d4002a24fc40ebe451a45f5d046c1>::operator ()
MaxUdpDg
Error loading ws2_32.dll
CHooker::InterceptAPI32(L"ws2_32.dll", "WSAStartup", (PROC)New_WSAStartup, (PROC*)&Orig_WSAStartup)
CHooker::InterceptAPI32(L"ws2_32.dll", "WSASocketW", (PROC)New_WSASocketW, (PROC*)&Orig_WSASocketW)
CHooker::InterceptAPI32(L"ws2_32.dll", "closesocket", (PROC)New_closesocket, (PROC*)&Orig_closesocket)
CHooker::InterceptAPI32(L"ws2_32.dll", "WSAConnect", (PROC)New_WSAConnect, (PROC*)&Orig_WSAConnect)
tCHooker::InterceptAPI32(L"ws2_32.dll", "connect", (PROC)New_connect, (PROC*)&Orig_connect)
CHooker::InterceptAPI32(L"ws2_32.dll", "getsockname", (PROC)New_getsockname, (PROC*)&Orig_getsockname)
CHooker::InterceptAPI32(L"ws2_32.dll", "getpeername", (PROC)New_getpeername, (PROC*)&Orig_getpeername)
CHooker::InterceptAPI32(L"ws2_32.dll", "getaddrinfo", (PROC)New_getaddrinfo, (PROC*)&Orig_getaddrinfo)
CHooker::InterceptAPI32(L"ws2_32.dll", "freeaddrinfo", (PROC)New_freeaddrinfo, (PROC*)&Orig_freeaddrinfo)
CHooker::InterceptAPI32(L"ws2_32.dll", "WSAIoctl", (PROC)New_WSAIoctl, (PROC*)&Orig_WSAIoctl)
CHooker::InterceptAPI32(L"ws2_32.dll", "WSALookupServiceBeginW", (PROC)New_WSALookupServiceBeginW, (PROC*)&Orig_WSALookupServiceBeginW)
CHooker::InterceptAPI32(L"ws2_32.dll", "WSALookupServiceNextW", (PROC)New_WSALookupServiceNextW, (PROC*)&Orig_WSALookupServiceNextW)
dCHooker::InterceptAPI32(L"ws2_32.dll", "WSALookupServiceEnd", (PROC)New_WSALookupServiceEnd, (PROC*)&Orig_WSALookupServiceEnd)
CHooker::InterceptAPI32(L"ws2_32.dll", "GetAddrInfoExW", (PROC)New_GetAddrInfoExW, (PROC*)&Orig_GetAddrInfoExW)
CHooker::InterceptAPI32(L"ws2_32.dll", "bind", (PROC)New_bind, (PROC*)&Orig_bind)
CHooker::InterceptAPI32(L"ws2_32.dll", "listen", (PROC)New_listen, (PROC*)&Orig_listen)
CHooker::InterceptAPI32(L"ws2_32.dll", "getnameinfo", (PROC)New_getnameinfo, (PROC*)&Orig_getnameinfo)
GetVmXMethod("VmxWSAGetLastError", (PVOID *)&g_WinsockApi.WSAGetLastError)
GetVmXMethod("VmxWSASetLastError", (PVOID *)&g_WinsockApi.WSASetLastError)
%s.%s="%s",%s="%s"
Unsupported number of classes implementing IWbemLocator
Unsupported number of classes implementing IWbemServices
Unsupported number of classes implementing IEnumWbemClassObject
Unsupported number of classes implementing IWbemClassObject
CLSIDFromString("%s") failed with error code 0x%X
Failure in QI for IID_IPersistFile on returned interface in CoGetInstanceFromFile: 0x%X, File: %s.
Failure in IPersistFile->Load on returned interface in CoGetInstanceFromFile: 0x%X, File: %s.
Failure calling CoCreateInstanceEx in CoGetInstanceFromFile: 0x%X, File: %s.
Skipping virtual layer for CoGetInstanceFromFile because GetClassFile returned: 0x%X for file: %s.
ole32.dll
Error loading ole32.dll
CHooker::InterceptAPI32(L"ole32.dll", "CoCreateInstance", (PROC)New_CoCreateInstance, (PROC*)&Orig_CoCreateInstance)
CHooker::InterceptAPI32(L"ole32.dll", "CoCreateInstanceEx", (PROC)New_CoCreateInstanceEx, (PROC*)&Orig_CoCreateInstanceEx)
CHooker::InterceptAPI32(L"ole32.dll", "CoGetClassObject", (PROC)New_CoGetClassObject, (PROC*)&Orig_CoGetClassObject)
CHooker::InterceptAPI32(L"ole32.dll", "CoGetInstanceFromFile", (PROC)New_CoGetInstanceFromFile, (PROC*)&Orig_CoGetInstanceFromFile)
CHooker::InterceptAPI32(L"ole32.dll", "CoRegisterClassObject", (PROC)New_CoRegisterClassObject, (PROC*)&Orig_CoRegisterClassObject)
CHooker::InterceptAPI32(L"ole32.dll", "CoRevokeClassObject", (PROC)New_CoRevokeClassObject, (PROC*)&Orig_CoRevokeClassObject)
CHooker::InterceptAPI32(L"ole32.dll", "CoResumeClassObjects", (PROC)New_CoResumeClassObjects, (PROC*)&Orig_CoResumeClassObjects)
\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{%s}
\REGISTRY\MACHINE\SOFTWARE\CLASSES\AppID\%s
Failed to start COM service in _CreateClassServerIf with Gle: %d, Clsid: %s, Service: %s
CreateProcessW failed in _CreateClassServerIf with Gle: %d, Clsid: %s, Server: %s
Wait for local server timed out in _CreateClassServerIf: Clsid: %s, Server: %s
The child COM local-server process for %s died without registering the COM object. Perhaps the Spawn Com Server setting should be turned off.
WaitForMultipleObjects unexpected result: 0x%X, gle: %d, Clsid: %s, Server: "%s"
_hEvt.Reset() failed: gle %d, clsid %s, server "%s", service "%s"
WaitForSingleObject(_hSem, 0) returned: 0x%X, gle: %d, clsid: %s, server: "%s"
Unsupported com class registration. Clsid: %s, ClsContext: 0x%X, Flags: 0x%X.
_hEvt.Set() failed: gle %d, clsid %s, server "%s", service "%s"
_hSem.Release() failed: gle %d, clsid %s, server "%s", service "%s"
_xvm_mtx_%s_%s
Failed to create "%s", gle %d, clsid %s, server "%s", service "%s"
_xvm_evt_%s_%s
_xvm_sem_%s_%s
Forcing initializaiton of isolation for %s to 0x%X (0x%X was attempted)
CConfigRegKey::CConfigRegKey
reader.Init(pstmLayer)
sizeReader.Init(&reader, false)
sizeReaderCollection.Init(pReader)
Skipping config type: 0x%X
sizeReaderCollection.ReadULONG(cItems)
sizeReaderCollection.ReadULONG(typeItem)
Collection type 0x%X does not match item type 0x%X during xlayer load.
sizeReader.ReadBlob(awcSignature, countof(XLAYER_SIGNATURE) - 1)
Invalid configuration from executable
sizeReader.ReadULONG(ulMajorVersion)
sizeReader.ReadULONG(ulMinorVersion)
Cannot read config built with newer major version format %d. Reader version %d.
Major version in config %d is lower than this reader version %d.. upgrading.
Minor version in config %d is of higher than this reader version %d. Some features required by this xlayer may not be available.
Minor version in config %d is lower than this reader version %d.
sizeReader.OnSizeValue()
sizeReader.ReadULONG(crc)
sizeReader.ReadULONG(cbCrc)
sizeReader.GetBaseStream(&pSeqStream)
pSeqStream.QueryInterface(&pStream)
Encountered unexpected type 0x%X during xlayer load
_LoadPortMap(pReader)
sizeReader.Init(pReader)
Skipping unknown config type: 0x%X
pDecraptSizeReader->ReadDotNetString(sSqlInstanceName, 0)
pDecraptSizeReader->ReadDotNetString(sStubExeCachePath, 0)
SQLXENOCODE
sizeReader.Init(pReader, false)
Invalid type in device: %x
Collection type 0x%X does not have CollectionBit set during device load.
pDecraptSizeReader->ReadDotNetString(sWebsite, 0)
pDecraptSizeReader->ReadULONG(ftExpirationDate.dwLowDateTime)
pDecraptSizeReader->ReadULONG(ftExpirationDate.dwHighDateTime)
pDecraptSizeReader->ReadDotNetString(sUrl, 0)
pDecraptSizeReader->ReadBOOL(fIsWebTimeSecure)
pDecraptSizeReader->ReadDotNetString(sWebTimeHost, 0)
pDecraptSizeReader->ReadDotNetString(sWebTimePath, 0)
pDecraptSizeReader->ReadULONG(dwWebTimePort)
pDecraptSizeReader->ReadBOOL(fExpireOnWebFail)
pDecraptSizeReader->ReadULONG(ftUtcBuildTime.dwLowDateTime)
pDecraptSizeReader->ReadULONG(ftUtcBuildTime.dwHighDateTime)
pDecraptSizeReader->ReadDotNetString(sShimDllName, 0)
shim.dll
sizeReader.ReadULONG(type)
Didn't see expected type: 0x%X, saw: 0x%X.
Loading inner layer: %s
pDecraptSizeReader->ReadDotNetString(strOperator, 0)
CVmConfig::_LoadPortMap
pDecraptSizeReader->ReadBOOL(bEnableTCP)
pDecraptSizeReader->ReadBOOL(bEnableUDP)
pDecraptSizeReader->ReadUSHORT(usServerPort)
pDecraptSizeReader->ReadDotNetString(sPassword, 0)
pDecraptSizeReader->ReadDotNetString(sLogin, 0)
Collection type 0x%X does not have CollectionBit set during remote server load.
sizeReaderCollection.Init(&sizeReader)
Collection type 0x%X does not match item type 0x%X during remote server load.
_LoadRemoteFolder(&sizeReaderCollection, sUrl)
pDecraptSizeReader->ReadDotNetString(sKeyName, 0)
Unable to locate special reg key root %s
Duplicate regkey %s will not be added as it is at lower layer.
sizeReader.GetStreamPosition(llStreamPositionSubKeys)
sizeReaderSubKey.Init(&sizeReader)
sizeReader.GetStreamPosition(llStreamPositionValues)
sizeReaderValue.Init(&sizeReader)
Unexpected key data collection item with type 0x%X
Unexpected key data item with type 0x%X
Skipping special directory root %s
Adding root directory %s (at %s) with flags: %X.
Unable to locate special directory root %s
Adding directory %s with flags: %X.
Duplicate directory %s will not be added as it is at lower layer.
sizeReader.GetStreamPosition(llStreamPositionSubDirs)
sizeReaderSubDir.Init(&sizeReader)
sizeReader.GetStreamPosition(llStreamPositionFiles)
sizeReaderFile.Init(&sizeReader)
Unexpected directory data collection item with type 0x%X
Unexpected directory data item with type 0x%X
CConfigRegKey::_FaultInSubKeysIf
reader.Init(iter->pOwningLayer->GetXLayerStream())
sizeReader.Init(&reader)
sizeReader.ReadULONG(cItems)
Error 0x%X faulting in sub-keys for key %s.
CConfigRegKey::_FaultInValuesIf
Duplicate reg value %s will not be added as it is at lower layer. type: 0x%X
Unexpected registry value %s, type: 0x%X
Error 0x%X faulting in values for key %s.
CConfigRegKey::_ReadTupleInfo
Error 0x%X faulting in sub-dirs for directory %s.
Duplicate file %s will not be added as it is at lower layer.
Error 0x%X faulting in files for directory %s.
Failed to get shortfilename info. Error: 0x%X, Item: %s, Path: %s
Failed to open directory candidate for shortfilename info. Error: 0x%X, Item: %s, Path: %s
pid:%d, tid:%d, tick:0x%X, lvl:%s, func:%s
, log:"%s"
, status:0x%X
, hr:0x%X
, clsid:X-X-X-X-XXXXXX
, ret:0x%X, gle:0x%X
, %s:0x%X
, %s:0x%XX
, %s:"%s"
, %s:%d
, %s:
, path:"%s"
, iostatus:0x%X, information:0x%X
, processid:0x%X, threadid:0x%X
, attribs:0x%X
, riid:X-X-X-X-XXXXXX
, handle:0x%X
%s\.crash
New_NtCreateNamedPipeFile
Unable to open the original exe file: %s with 0x%X
CSystemManager::CreateStubExeFileIf
Unable to create section on the original exe file: %s with 0x%X
Unable to map view of section on the original exe file: %s with 0x%X
Original exe is not valid nt image. Status: 0x%X, File: %s.
Original exe does not match x86 or x64 machine type, can't spawn vm. File: %s.
CHooker::InterceptAPI32(L"ntdll.dll", "LdrLoadDll", (PROC)New_LdrLoadDll, (PROC*)&Orig_LdrLoadDll)
CHooker::InterceptAPI32(L"ntdll.dll", "LdrUnloadDll", (PROC)New_LdrUnloadDll, (PROC*)&Orig_LdrUnloadDll)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCancelIoFile", (PROC)New_NtCancelIoFile, (PROC*)&Orig_NtCancelIoFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCancelIoFileEx", (PROC)New_NtCancelIoFileEx, (PROC*)&Orig_NtCancelIoFileEx)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCreateFile", (PROC)New_NtCreateFile, (PROC*)&Orig_NtCreateFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCreateMailslotFile", (PROC)New_NtCreateMailslotFile, (PROC*)&Orig_NtCreateMailslotFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCreateNamedPipeFile", (PROC)New_NtCreateNamedPipeFile, (PROC*)&Orig_NtCreateNamedPipeFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCreatePagingFile", (PROC)New_NtCreatePagingFile, (PROC*)&Orig_NtCreatePagingFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtDeleteFile", (PROC)New_NtDeleteFile, (PROC*)&Orig_NtDeleteFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtFlushBuffersFile", (PROC)New_NtFlushBuffersFile, (PROC*)&Orig_NtFlushBuffersFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtLockFile", (PROC)New_NtLockFile, (PROC*)&Orig_NtLockFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtNotifyChangeDirectoryFile", (PROC)New_NtNotifyChangeDirectoryFile, (PROC*)&Orig_NtNotifyChangeDirectoryFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtOpenFile", (PROC)New_NtOpenFile, (PROC*)&Orig_NtOpenFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryAttributesFile", (PROC)New_NtQueryAttributesFile, (PROC*)&Orig_NtQueryAttributesFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryDirectoryFile", (PROC)New_NtQueryDirectoryFile, (PROC*)&Orig_NtQueryDirectoryFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryEaFile", (PROC)New_NtQueryEaFile, (PROC*)&Orig_NtQueryEaFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryFullAttributesFile", (PROC)New_NtQueryFullAttributesFile, (PROC*)&Orig_NtQueryFullAttributesFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryInformationFile", (PROC)New_NtQueryInformationFile, (PROC*)&Orig_NtQueryInformationFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryVolumeInformationFile", (PROC)New_NtQueryVolumeInformationFile, (PROC*)&Orig_NtQueryVolumeInformationFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtReadFile", (PROC)New_NtReadFile, (PROC*)&Orig_NtReadFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtReadFileScatter", (PROC)New_NtReadFileScatter, (PROC*)&Orig_NtReadFileScatter)
CHooker::InterceptAPI32(L"ntdll.dll", "NtSetEaFile", (PROC)New_NtSetEaFile, (PROC*)&Orig_NtSetEaFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtSetInformationFile", (PROC)New_NtSetInformationFile, (PROC*)&Orig_NtSetInformationFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtSetVolumeInformationFile", (PROC)New_NtSetVolumeInformationFile, (PROC*)&Orig_NtSetVolumeInformationFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtUnlockFile", (PROC)New_NtUnlockFile, (PROC*)&Orig_NtUnlockFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtWriteFile", (PROC)New_NtWriteFile, (PROC*)&Orig_NtWriteFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtWriteFileGather", (PROC)New_NtWriteFileGather, (PROC*)&Orig_NtWriteFileGather)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryQuotaInformationFile", (PROC)New_NtQueryQuotaInformationFile, (PROC*)&Orig_NtQueryQuotaInformationFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtSetQuotaInformationFile", (PROC)New_NtSetQuotaInformationFile, (PROC*)&Orig_NtSetQuotaInformationFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtTranslateFilePath", (PROC)New_NtTranslateFilePath, (PROC*)&Orig_NtTranslateFilePath)
CHooker::InterceptAPI32(L"ntdll.dll", "NtDeviceIoControlFile", (PROC)New_NtDeviceIoControlFile, (PROC*)&Orig_NtDeviceIoControlFile)
CHooker::InterceptAPI32(L"ntdll.dll", "NtFsControlFile", (PROC)New_NtFsControlFile, (PROC*)&Orig_NtFsControlFile)
Not implemented op code 0x%X, with flags: 0x%X.
Not implemented rel8 jump op code 0x%X.
Not implemented ModRM code 0x%X, with flags: 0x%X.
GetModuleHandleW failed on: %s
Didn't find method %s.
Error hooking api. Bytes: X X X X X X.
New_NtAlpcCreatePort
New_NtCreatePort
New_NtAlpcConnectPort
New_NtSecureConnectPort
CHooker::InterceptAPI32(L"ntdll.dll", "NtAlpcCreatePort", (PROC)New_NtAlpcCreatePort, (PROC*)&Orig_NtAlpcCreatePort)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCreatePort", (PROC)New_NtCreatePort, (PROC*)&Orig_NtCreatePort)
CHooker::InterceptAPI32(L"ntdll.dll", "NtAlpcConnectPort", (PROC)New_NtAlpcConnectPort, (PROC*)&Orig_NtAlpcConnectPort)
CHooker::InterceptAPI32(L"ntdll.dll", "NtSecureConnectPort", (PROC)New_NtSecureConnectPort, (PROC*)&Orig_NtSecureConnectPort)
CHooker::InterceptAPI32(L"ntdll.dll", "NtClose", (PROC)New_NtClose, (PROC*)&Orig_NtClose)
CHooker::InterceptAPI32(L"ntdll.dll", "NtDuplicateObject", (PROC)New_NtDuplicateObject, (PROC*)&Orig_NtDuplicateObject)
CHooker::InterceptAPI32(L"ntdll.dll", "NtMakeTemporaryObject", (PROC)New_NtMakeTemporaryObject, (PROC*)&Orig_NtMakeTemporaryObject)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryObject", (PROC)New_NtQueryObject, (PROC*)&Orig_NtQueryObject)
CHooker::InterceptAPI32(L"ntdll.dll", "NtSetInformationObject", (PROC)New_NtSetInformationObject, (PROC*)&Orig_NtSetInformationObject)
CHooker::InterceptAPI32(L"ntdll.dll", "NtSignalAndWaitForSingleObject", (PROC)New_NtSignalAndWaitForSingleObject, (PROC*)&Orig_NtSignalAndWaitForSingleObject)
CHooker::InterceptAPI32(L"ntdll.dll", "NtAssociateWaitCompletionPacket", (PROC)New_NtAssociateWaitCompletionPacket, (PROC*)&Orig_NtAssociateWaitCompletionPacket)
CHooker::InterceptAPI32(L"ntdll.dll", "NtWaitForMultipleObjects", (PROC)New_NtWaitForMultipleObjects, (PROC*)&Orig_NtWaitForMultipleObjects)
CHooker::InterceptAPI32(L"ntdll.dll", "NtWaitForSingleObject", (PROC)New_NtWaitForSingleObject, (PROC*)&Orig_NtWaitForSingleObject)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQuerySecurityObject", (PROC)New_NtQuerySecurityObject, (PROC*)&Orig_NtQuerySecurityObject)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCreateMutant", (PROC)New_NtCreateMutant, (PROC*)&Orig_NtCreateMutant)
CHooker::InterceptAPI32(L"ntdll.dll", "NtOpenMutant", (PROC)New_NtOpenMutant, (PROC*)&Orig_NtOpenMutant)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCreateEvent", (PROC)New_NtCreateEvent, (PROC*)&Orig_NtCreateEvent)
CHooker::InterceptAPI32(L"ntdll.dll", "NtOpenEvent", (PROC)New_NtOpenEvent, (PROC*)&Orig_NtOpenEvent)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCreateSemaphore", (PROC)New_NtCreateSemaphore, (PROC*)&Orig_NtCreateSemaphore)
CHooker::InterceptAPI32(L"ntdll.dll", "NtOpenSemaphore", (PROC)New_NtOpenSemaphore, (PROC*)&Orig_NtOpenSemaphore)
Setting last seen child proc thread to 0x%X.
New_ShellExecuteExA
New_ShellExecuteExW
New_ShellExecuteA
operation
New_ShellExecuteW
cmdline
Calling GdiAddFontResourceW on %s directly to metal. Previous hr: 0x%X, status: 0x%X
Calling RemoveFontResourceExW on %s directly to metal. Previous hr: 0x%X, status: 0x%X
New thread started (via DoThreadStart) at address: 0x%X, parameter: 0x%X
New thread started (via BaseThreadInitThunk) at address: 0x%X, parameter: 0x%X
msiexec.exe
Found msiexec call, needs elevation
couldn't convert %s to NT path
Unable to create events. Gle: 0x%X
Unexpected return 0x%X from WaitForMultipleObjects during child process creation. Gle: 0x%X
Unable to resume startup thread in created child process. Gle: 0x%X
debugport
exceptionport
Call to %s made: Ret: 0x%X. Bypassing our virtual hosts impl.
Call to %s made: Ret: 0x%X.
CHooker::InterceptAPI32(L"kernelbase.dll", "GetCommandLineW", (PROC)New_GetCommandLineW, (PROC*)&Orig_GetCommandLineW)
CHooker::InterceptAPI32(L"kernelbase.dll", "GetCommandLineA", (PROC)New_GetCommandLineA, (PROC*)&Orig_GetCommandLineA)
CHooker::InterceptAPI32(L"kernelbase.dll", "GetQueuedCompletionStatus", (PROC)New_GetQueuedCompletionStatus, (PROC*)&Orig_GetQueuedCompletionStatus)
sCHooker::InterceptAPI32(L"kernelbase.dll", "ExitProcess", (PROC)New_ExitProcess, (PROC*)&Orig_ExitProcess)
CHooker::InterceptAPI32(L"kernel32.dll", "ExitProcess", (PROC)New_ExitProcessStub, (PROC*)&Orig_ExitProcessStub)
CHooker::InterceptAPI32(L"ntdll.dll", "RtlExitUserProcess", (PROC)New_RtlExitUserProcess, (PROC*)&Orig_RtlExitUserProcess)
CHooker::InterceptAPI32(L"kernel32.dll", "GetCommandLineW", (PROC)New_GetCommandLineW, (PROC*)&Orig_GetCommandLineW)
CHooker::InterceptAPI32(L"kernel32.dll", "GetCommandLineA", (PROC)New_GetCommandLineA, (PROC*)&Orig_GetCommandLineA)
CHooker::InterceptAPI32(L"kernel32.dll", "GetQueuedCompletionStatus", (PROC)New_GetQueuedCompletionStatus, (PROC*)&Orig_GetQueuedCompletionStatus)
CHooker::InterceptAPI32(L"kernel32.dll", "ExitProcess", (PROC)New_ExitProcess, (PROC*)&Orig_ExitProcess)
CHooker::InterceptAPI32(L"kernelbase.dll", "CreateProcessInternalW", (PROC)New_CreateProcessInternalW, (PROC*)&Orig_CreateProcessInternalW)
CHooker::InterceptAPI32(L"kernelbase.dll", "SetConsoleTitleW", (PROC)New_SetConsoleTitleW, (PROC*)&Orig_SetConsoleTitleW)
CHooker::InterceptAPI32(L"kernelbase.dll", "GetConsoleTitleW", (PROC)New_GetConsoleTitleW, (PROC*)&Orig_GetConsoleTitleW)
CHooker::InterceptAPI32(L"kernelbase.dll", "ReadConsoleA", (PROC)New_ReadConsoleA, (PROC*)&Orig_ReadConsoleA)
CHooker::InterceptAPI32(L"kernelbase.dll", "ReadConsoleW", (PROC)New_ReadConsoleW, (PROC*)&Orig_ReadConsoleW)
CHooker::InterceptAPI32(L"kernelbase.dll", "WriteConsoleA", (PROC)New_WriteConsoleA, (PROC*)&Orig_WriteConsoleA)
CHooker::InterceptAPI32(L"kernelbase.dll", "WriteConsoleW", (PROC)New_WriteConsoleW, (PROC*)&Orig_WriteConsoleW)
CHooker::InterceptAPI32(L"kernelbase.dll", "SetConsoleCtrlHandler", (PROC)New_SetConsoleCtrlHandler, (PROC*)&Orig_SetConsoleCtrlHandler)
CHooker::InterceptAPI32(L"kernelbase.dll", "SetConsoleCursorPosition", (PROC)New_SetConsoleCursorPosition, (PROC*)&Orig_SetConsoleCursorPosition)
CHooker::InterceptAPI32(L"kernel32.dll", "UpdateProcThreadAttribute", (PROC)New_UpdateProcThreadAttribute, (PROC*)&Orig_UpdateProcThreadAttribute)
CHooker::InterceptAPI32(L"kernel32.dll", "CreateProcessInternalW", (PROC)New_CreateProcessInternalW, (PROC*)&Orig_CreateProcessInternalW)
CHooker::InterceptAPI32(L"kernel32.dll", "SetConsoleTitleW", (PROC)New_SetConsoleTitleW, (PROC*)&Orig_SetConsoleTitleW)
CHooker::InterceptAPI32(L"kernel32.dll", "GetConsoleTitleW", (PROC)New_GetConsoleTitleW, (PROC*)&Orig_GetConsoleTitleW)
CHooker::InterceptAPI32(L"kernel32.dll", "ReadConsoleA", (PROC)New_ReadConsoleA, (PROC*)&Orig_ReadConsoleA)
CHooker::InterceptAPI32(L"kernel32.dll", "ReadConsoleW", (PROC)New_ReadConsoleW, (PROC*)&Orig_ReadConsoleW)
CHooker::InterceptAPI32(L"kernel32.dll", "WriteConsoleA", (PROC)New_WriteConsoleA, (PROC*)&Orig_WriteConsoleA)
CHooker::InterceptAPI32(L"kernel32.dll", "WriteConsoleW", (PROC)New_WriteConsoleW, (PROC*)&Orig_WriteConsoleW)
CHooker::InterceptAPI32(L"kernel32.dll", "SetConsoleCtrlHandler", (PROC)New_SetConsoleCtrlHandler, (PROC*)&Orig_SetConsoleCtrlHandler)
CHooker::InterceptAPI32(L"kernel32.dll", "SetConsoleCursorPosition", (PROC)New_SetConsoleCursorPosition, (PROC*)&Orig_SetConsoleCursorPosition)
CHooker::InterceptAPI32(L"kernel32.dll", "BaseThreadInitThunk", (PROC)New_BaseThreadInitThunk, (PROC*)&Orig_BaseThreadInitThunk)
CHooker::InterceptAPI32(L"kernel32.dll", "CreateRemoteThread", (PROC)New_CreateRemoteThread, (PROC*)&Orig_CreateRemoteThread)
Error loading kernel32.dll
CHooker::InterceptAPI32(L"kernel32.dll", "Wow64DisableWow64FsRedirection", (PROC)New_Wow64DisableWow64FsRedirection, (PROC*)&Orig_Wow64DisableWow64FsRedirection)
CHooker::InterceptAPI32(L"kernel32.dll", "Wow64EnableWow64FsRedirection", (PROC)New_Wow64EnableWow64FsRedirection, (PROC*)&Orig_Wow64EnableWow64FsRedirection)
CHooker::InterceptAPI32(L"kernel32.dll", "Wow64RevertWow64FsRedirection", (PROC)New_Wow64RevertWow64FsRedirection, (PROC*)&Orig_Wow64RevertWow64FsRedirection)
CHooker::InterceptAPI32(L"kernel32.dll", "SetConsoleTitleA", (PROC)New_SetConsoleTitleA, (PROC*)&Orig_SetConsoleTitleA)
CHooker::InterceptAPI32(L"kernel32.dll", "GetConsoleTitleA", (PROC)New_GetConsoleTitleA, (PROC*)&Orig_GetConsoleTitleA)
CHooker::InterceptAPI32(L"kernel32.dll", "GetComputerNameW", (PROC)New_GetComputerNameW, (PROC*)&Orig_GetComputerNameW)
CHooker::InterceptAPI32(L"kernel32.dll", "GetComputerNameA", (PROC)New_GetComputerNameA, (PROC*)&Orig_GetComputerNameA)
CHooker::InterceptAPI32(L"kernel32.dll", "GetComputerNameExW", (PROC)New_GetComputerNameExW, (PROC*)&Orig_GetComputerNameExW)
CHooker::InterceptAPI32(L"kernel32.dll", "GetComputerNameExA", (PROC)New_GetComputerNameExA, (PROC*)&Orig_GetComputerNameExA)
Iphlpapi.dll
Error loading Iphlpapi.dll
CHooker::InterceptAPI32(L"Iphlpapi.dll", "GetAdaptersAddresses", (PROC)New_GetAdaptersAddresses, (PROC*)&Orig_GetAdaptersAddresses)
CHooker::InterceptAPI32(L"ntdll.dll", "LdrShutdownThread", (PROC)New_LdrShutdownThread, (PROC*)&Orig_LdrShutdownThread)
eCHooker::InterceptAPI32(L"ntdll.dll", "LdrGetDllHandle", (PROC)New_LdrGetDllHandle, (PROC*)&Orig_LdrGetDllHandle)
CHooker::InterceptAPI32(L"ntdll.dll", "LdrResolveDelayLoadedAPI", (PROC)New_LdrResolveDelayLoadedAPI, (PROC*)&Orig_LdrResolveDelayLoadedAPI)
CHooker::InterceptAPI32(L"ntdll.dll", "LdrGetProcedureAddressForCaller", (PROC)New_LdrGetProcedureAddressForCaller, (PROC*)&Orig_LdrGetProcedureAddressForCaller)
CHooker::InterceptAPI32(L"ntdll.dll", "LdrGetProcedureAddressEx", (PROC)New_LdrGetProcedureAddressEx, (PROC*)&Orig_LdrGetProcedureAddressEx)
CHooker::InterceptAPI32(L"ntdll.dll", "LdrGetProcedureAddress", (PROC)New_LdrGetProcedureAddress, (PROC*)&Orig_LdrGetProcedureAddress)
CHooker::InterceptAPI32(L"ntdll.dll", "NtOpenProcess", (PROC)New_NtOpenProcess, (PROC*)&Orig_NtOpenProcess)
sCHooker::InterceptAPI32(L"ntdll.dll", "NtCreateProcess", (PROC)New_NtCreateProcess, (PROC*)&Orig_NtCreateProcess)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCreateProcessEx", (PROC)New_NtCreateProcessEx, (PROC*)&Orig_NtCreateProcessEx)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCreateUserProcess", (PROC)New_NtCreateUserProcess, (PROC*)&Orig_NtCreateUserProcess)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCreateThread", (PROC)New_NtCreateThread, (PROC*)&Orig_NtCreateThread)
CHooker::InterceptAPI32(L"ntdll.dll", "NtTerminateProcess", (PROC)New_NtTerminateProcess, (PROC*)&Orig_NtTerminateProcess)
sCHooker::InterceptAPI32(L"ntdll.dll", "NtSetInformationProcess", (PROC)New_NtSetInformationProcess, (PROC*)&Orig_NtSetInformationProcess)
gdi32.dll
Error loading gdi32.dll
WCHooker::InterceptAPI32(L"gdi32.dll", "GdiAddFontResourceW", (PROC)New_GdiAddFontResourceW, (PROC*)&Orig_GdiAddFontResourceW)
CHooker::InterceptAPI32(L"gdi32.dll", "RemoveFontResourceExW", (PROC)New_RemoveFontResourceExW, (PROC*)&Orig_RemoveFontResourceExW)
mswsock.dll
Error loading mswsock.dll
CHooker::InterceptAPI32(L"mswsock.dll", "TransmitFile", (PROC)New_TransmitFile, (PROC*)&Orig_TransmitFile)
dnsapi.dll
Error loading dnsapi.dll
CHooker::InterceptAPI32(L"dnsapi.dll", "DnsQuery_W", (PROC)New_DnsQuery_W, (PROC*)&Orig_DnsQuery_W)
CHooker::InterceptAPI32(L"dnsapi.dll", "DnsQuery_UTF8", (PROC)New_DnsQuery_UTF8, (PROC*)&Orig_DnsQuery_UTF8)
CHooker::InterceptAPI32(L"dnsapi.dll", "DnsQuery_A", (PROC)New_DnsQuery_A, (PROC*)&Orig_DnsQuery_A)
CHooker::InterceptAPI32(L"dnsapi.dll", "DnsQueryExW", (PROC)New_DnsQueryExW, (PROC*)&Orig_DnsQueryExW)
CHooker::InterceptAPI32(L"dnsapi.dll", "DnsQueryExUTF8", (PROC)New_DnsQueryExUTF8, (PROC*)&Orig_DnsQueryExUTF8)
CHooker::InterceptAPI32(L"dnsapi.dll", "DnsQueryExA", (PROC)New_DnsQueryExA, (PROC*)&Orig_DnsQueryExA)
CHooker::InterceptAPI32(L"dnsapi.dll", "DnsQueryEx", (PROC)New_DnsQueryEx, (PROC*)&Orig_DnsQueryEx)
httpapi.dll
Error loading httpapi.dll
CHooker::InterceptAPI32(L"httpapi.dll", "HttpAddUrl", (PROC)New_HttpAddUrl, (PROC*)&Orig_HttpAddUrl)
CHooker::InterceptAPI32(L"httpapi.dll", "HttpRemoveUrl", (PROC)New_HttpRemoveUrl, (PROC*)&Orig_HttpRemoveUrl)
CHooker::InterceptAPI32(L"httpapi.dll", "HttpAddUrlToUrlGroup", (PROC)New_HttpAddUrlToUrlGroup, (PROC*)&Orig_HttpAddUrlToUrlGroup)
CHooker::InterceptAPI32(L"httpapi.dll", "HttpRemoveUrlFromUrlGroup", (PROC)New_HttpRemoveUrlFromUrlGroup, (PROC*)&Orig_HttpRemoveUrlFromUrlGroup)
CHooker::InterceptAPI32(L"httpapi.dll", "HttpTerminate", (PROC)New_HttpTerminate, (PROC*)&Orig_HttpTerminate)
CHooker::InterceptAPI32(L"httpapi.dll", "HttpReceiveHttpRequest", (PROC)New_HttpReceiveHttpRequest, (PROC*)&Orig_HttpReceiveHttpRequest)
CHooker::InterceptAPI32(L"httpapi.dll", "HttpSendHttpResponse", (PROC)New_HttpSendHttpResponse, (PROC*)&Orig_HttpSendHttpResponse)
CHooker::InterceptAPI32(L"httpapi.dll", "HttpSendResponseEntityBody", (PROC)New_HttpSendResponseEntityBody, (PROC*)&Orig_HttpSendResponseEntityBody)
crypt32.dll
Error loading crypt32.dll
Error loading shell32.dll
CHooker::InterceptAPI32(L"shell32.dll", "SHAddToRecentDocs", (PROC)New_SHAddToRecentDocs, (PROC*)&Orig_SHAddToRecentDocs)
CHooker::InterceptAPI32(L"shell32.dll", "ShellExecuteExA", (PROC)New_ShellExecuteExA, (PROC*)&Orig_ShellExecuteExA)
WCHooker::InterceptAPI32(L"shell32.dll", "ShellExecuteExW", (PROC)New_ShellExecuteExW, (PROC*)&Orig_ShellExecuteExW)
CHooker::InterceptAPI32(L"shell32.dll", "ShellExecuteA", (PROC)New_ShellExecuteA, (PROC*)&Orig_ShellExecuteA)
CHooker::InterceptAPI32(L"shell32.dll", "ShellExecuteW", (PROC)New_ShellExecuteW, (PROC*)&Orig_ShellExecuteW)
mpr.dll
Error loading mpr.dll
CHooker::InterceptAPI32(L"mpr.dll", "WNetGetResourceInformationW", (PROC)New_WNetGetResourceInformationW, (PROC*)&Orig_WNetGetResourceInformationW)
CHooker::InterceptAPI32(L"mpr.dll", "WNetGetResourceInformationA", (PROC)New_WNetGetResourceInformationA, (PROC*)&Orig_WNetGetResourceInformationA)
CHooker::InterceptAPI32(L"kernelbase.dll", "SetTokenInformation", (PROC)New_SetTokenInformation, (PROC*)&Orig_SetTokenInformation)
CHooker::InterceptAPI32(L"advapi32.dll", "SetTokenInformation", (PROC)New_SetTokenInformation, (PROC*)&Orig_SetTokenInformation)
Dropping runas verb from ShellExecute
_AdjustShellExecuteParameters
shell32.dll
SecPassthrough
FaultExecutables
AdvancedComSupport
Unrecognized override setting: %s
New_NtCompactKeys
New_NtCompressKey
New_NtCreateKey
New_NtDeleteKey
New_NtDeleteValueKey
New_NtEnumerateKey
New_NtEnumerateValueKey
New_NtFlushKey
New_NtLoadKey
New_NtLoadKey2
New_NtLoadKeyEx
New_NtLockRegistryKey
New_NtNotifyChangeKey
New_NtNotifyChangeMultipleKeys
New_NtOpenKey
New_NtOpenKeyEx
New_NtQueryKey
New_NtQueryMultipleValueKey
New_NtQueryOpenSubKeys
New_NtQueryOpenSubKeysEx
New_NtQueryValueKey
New_NtRenameKey
New_NtReplaceKey
New_NtRestoreKey
New_NtSaveKey
New_NtSaveKeyEx
New_NtSaveMergedKeys
New_NtSetInformationKey
New_NtSetValueKey
New_NtUnloadKey
New_NtUnloadKey2
New_NtUnloadKeyEx
CHooker::InterceptAPI32(L"ntdll.dll", "NtCompactKeys", (PROC)New_NtCompactKeys, (PROC*)&Orig_NtCompactKeys)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCompressKey", (PROC)New_NtCompressKey, (PROC*)&Orig_NtCompressKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtCreateKey", (PROC)New_NtCreateKey, (PROC*)&Orig_NtCreateKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtDeleteKey", (PROC)New_NtDeleteKey, (PROC*)&Orig_NtDeleteKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtDeleteValueKey", (PROC)New_NtDeleteValueKey, (PROC*)&Orig_NtDeleteValueKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtEnumerateKey", (PROC)New_NtEnumerateKey, (PROC*)&Orig_NtEnumerateKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtEnumerateValueKey", (PROC)New_NtEnumerateValueKey, (PROC*)&Orig_NtEnumerateValueKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtFlushKey", (PROC)New_NtFlushKey, (PROC*)&Orig_NtFlushKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtLoadKey", (PROC)New_NtLoadKey, (PROC*)&Orig_NtLoadKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtLoadKey2", (PROC)New_NtLoadKey2, (PROC*)&Orig_NtLoadKey2)
CHooker::InterceptAPI32(L"ntdll.dll", "NtLoadKeyEx", (PROC)New_NtLoadKeyEx, (PROC*)&Orig_NtLoadKeyEx)
CHooker::InterceptAPI32(L"ntdll.dll", "NtLockRegistryKey", (PROC)New_NtLockRegistryKey, (PROC*)&Orig_NtLockRegistryKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtNotifyChangeKey", (PROC)New_NtNotifyChangeKey, (PROC*)&Orig_NtNotifyChangeKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtNotifyChangeMultipleKeys", (PROC)New_NtNotifyChangeMultipleKeys, (PROC*)&Orig_NtNotifyChangeMultipleKeys)
CHooker::InterceptAPI32(L"ntdll.dll", "NtOpenKey", (PROC)New_NtOpenKey, (PROC*)&Orig_NtOpenKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtOpenKeyEx", (PROC)New_NtOpenKeyEx, (PROC*)&Orig_NtOpenKeyEx)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryKey", (PROC)New_NtQueryKey, (PROC*)&Orig_NtQueryKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryMultipleValueKey", (PROC)New_NtQueryMultipleValueKey, (PROC*)&Orig_NtQueryMultipleValueKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryOpenSubKeys", (PROC)New_NtQueryOpenSubKeys, (PROC*)&Orig_NtQueryOpenSubKeys)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryOpenSubKeysEx", (PROC)New_NtQueryOpenSubKeysEx, (PROC*)&Orig_NtQueryOpenSubKeysEx)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryValueKey", (PROC)New_NtQueryValueKey, (PROC*)&Orig_NtQueryValueKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtRenameKey", (PROC)New_NtRenameKey, (PROC*)&Orig_NtRenameKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtReplaceKey", (PROC)New_NtReplaceKey, (PROC*)&Orig_NtReplaceKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtRestoreKey", (PROC)New_NtRestoreKey, (PROC*)&Orig_NtRestoreKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtSaveKey", (PROC)New_NtSaveKey, (PROC*)&Orig_NtSaveKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtSaveKeyEx", (PROC)New_NtSaveKeyEx, (PROC*)&Orig_NtSaveKeyEx)
CHooker::InterceptAPI32(L"ntdll.dll", "NtSaveMergedKeys", (PROC)New_NtSaveMergedKeys, (PROC*)&Orig_NtSaveMergedKeys)
CHooker::InterceptAPI32(L"ntdll.dll", "NtSetInformationKey", (PROC)New_NtSetInformationKey, (PROC*)&Orig_NtSetInformationKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtSetValueKey", (PROC)New_NtSetValueKey, (PROC*)&Orig_NtSetValueKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtUnloadKey", (PROC)New_NtUnloadKey, (PROC*)&Orig_NtUnloadKey)
CHooker::InterceptAPI32(L"ntdll.dll", "NtUnloadKey2", (PROC)New_NtUnloadKey2, (PROC*)&Orig_NtUnloadKey2)
CHooker::InterceptAPI32(L"ntdll.dll", "NtUnloadKeyEx", (PROC)New_NtUnloadKeyEx, (PROC*)&Orig_NtUnloadKeyEx)
Failed to delete metadata for sandbox file %s due to 0x%X.
Failed to delete sandbox file %s due to 0x%X.
Failed to delete __meta__ file %s for deleted file due to 0x%X.
%s\xsandbox.bin
Setting special directory to full isolation %s
The sandbox location at %s has insufficient space. Requested space: %d MB, actual %d MB.
reader.Init(pStmSandboxFile)
xreader.ReadBlob(acBuffer, sizeof(acHeader))
The XSandbox.bin file appears corrupt - unknown header.
reader.ReadULONG(majorVersion)
The XSandbox.bin indicates a newer major version sandbox than is understood by this VM version.
reader.ReadULONG(minorVersion)
The XSandbox.bin indicates a newer minor version sandbox than is understood by this VM version.
Sandbox %s needing upgrade is in use.
Unable to create XSandbox.bin file %s with error: 0x%X
writer.Write(acHeader, sizeof(acHeader))
writer.Write((ULONG)XSANDBOX_BIN_MAJOR_VERSION)
writer.Write((ULONG)XSANDBOX_BIN_MINOR_VERSION)
Upgrading sandbox %s from v%d.%d to v%d.%d.
\stubexe
VMAPICALL(VmDeleteDirectory(sStubExeFolder))
Unable to upgrade sandbox due to existing target roaming folder: %s
\xregistry.bin
MakeNtPath returned an error during sandbox expansion on %s: 0x%X
Setting sandbox path to: %s
%s\0xXX
MakeNtPath returned an error during sandbox cache expansion on %s: 0x%X
%s\XX
Setting registry cache path to: %s
An error 0x%X occurred flushing the roaming registry cache to the sandbox at shutdown.
An error 0x%X occurred flushing the local registry cache to the sandbox at shutdown.
Overriding special sandbox path %s to %s.
An error 0x%X occurred flushing the roaming registry cache to the sandbox.
An error 0x%X occurred flushing the local registry cache to the sandbox.
%s\xregistry.bin
reader.Init(pStmRegFile)
The XRegistry.bin file appears corrupt - unknown header.
reader.ReadULONG(version)
The XRegistry.bin file appears corrupt - unknown version.
VMAPICALL(VmCreateKey( &hRegRoot, pwcsRegRoot, KEY_ALL_ACCESS, TRUE))
_LoadKeyRecurse(reader, hRegRoot)
The XRegistry.bin file had errors during parsing: 0x%X. Resetting the registry state.
rReader.ReadULONG(cValues)
CSandbox::_LoadKeyRecurse
rReader.ReadULONG(cwcMaxValueName)
rReader.ReadULONG(cbMaxValueData)
rReader.ReadString(sName, 0x3FFF)
rReader.ReadULONG(ulType)
rReader.ReadULONG(cbBlob)
The XRegistry.bin file appears corrupt - data length too great.
rReader.ReadBlob(pbValueDataBuffer, cbBlob)
VMAPICALL(VmSetValueKey( hRegKey, sName, ulType, pbValueDataBuffer, cbBlob))
rReader.ReadULONG(cSubKeys)
rReader.ReadULONG(cwcMaxSubKeyName)
rReader.ReadString(sName, 0xFF)
VMAPICALL(VmCreateKeyEx( &hSubKey, hRegKey, sName, KEY_READ | KEY_WRITE, &fCreate))
_LoadKeyRecurse(rReader, hSubKey)
writer.Write((ULONG)XREGISTRY_BIN_VERSION)
_SaveKeyRecurse(writer, hRegRoot)
VMAPICALL(VmDeleteKey(sRenamePath))
VMAPICALL(VmRenameKey(hRegRoot, sRenameName))
VMAPICALL(VmDeleteKey(hRegRoot))
VMAPICALL(VmQueryKey( hRegKey, 0, &cwcMaxSubKeyName, 0, &cwcMaxValueName, &cbMaxValueData, 0))
CSandbox::_SaveKeyRecurse
rWriter.GetUnderylingStream(&pUnderlyingObj)
pUnderlyingObj.QueryInterface(&pUnderlyingStream)
rWriter.Write((ULONG)0)
rWriter.Write(cwcMaxValueName)
rWriter.Write(cbMaxValueData)
Unexpected error returned from VmEnumerateValueKey
rWriter.Write(pwcsValueNameBuffer)
rWriter.Write(dwType)
rWriter.Write(cbDataBuffer)
rWriter.Write(pbValueDataBuffer, cbDataBuffer)
rWriter.Write(i)
rWriter.Write(cwcMaxSubKeyName)
Unexpected error returned from VmEnumerateKey
Unexpected error returned from VmCreateKey
rWriter.Write(pwcsSubKeyNameBuffer)
_SaveKeyRecurse(rWriter, hSubKey)
CUtil::SetCurrentPosition(pUnderlyingStream, ullSubKeyCountPos)
Lazy-cleaning promoted: %s
reader.Init(pStmMetaFile)
The __meta__ file %s appears corrupt - unknown header.
The __meta__ file %s appears corrupt - unknown version.
reader.ReadULONG(fHashPresent)
reader.ReadBlob(abHash, MD5_HASH_BYTES)
Lazy-cleaning: %s
Upgrading or lazy-cleaning file in sandbox: %s
We don't yet support renaming virtual directories.
Try to promote local sandboxed file to: %s.
Promoting %s failed due to sharing violation.. Expected, so re-faulting from source.
Faulting in sandboxed copy of: %s
writer.Write((ULONG)XVM_META_VERSION)
writer.Write((ULONG)TRUE)
writer.WriteBlob((PVOID)pbHash, MD5_HASH_BYTES)
writer.Write((ULONG)FALSE)
writer.Write((ULONGLONG)0)
Couldn't read deleted items under %s due to 0x%X.
Couldn't open 'alt' dir for %s due to 0x%X.
CHooker::InterceptAPI32(L"ntdll.dll", "NtCreateSection", (PROC)New_NtCreateSection, (PROC*)&Orig_NtCreateSection)
CHooker::InterceptAPI32(L"ntdll.dll", "NtExtendSection", (PROC)New_NtExtendSection, (PROC*)&Orig_NtExtendSection)
CHooker::InterceptAPI32(L"ntdll.dll", "NtMapViewOfSection", (PROC)New_NtMapViewOfSection, (PROC*)&Orig_NtMapViewOfSection)
CHooker::InterceptAPI32(L"ntdll.dll", "NtOpenSection", (PROC)New_NtOpenSection, (PROC*)&Orig_NtOpenSection)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQuerySection", (PROC)New_NtQuerySection, (PROC*)&Orig_NtQuerySection)
CHooker::InterceptAPI32(L"ntdll.dll", "NtUnmapViewOfSection", (PROC)New_NtUnmapViewOfSection, (PROC*)&Orig_NtUnmapViewOfSection)
CHooker::InterceptAPI32(L"ntdll.dll", "NtUnmapViewOfSectionEx", (PROC)New_NtUnmapViewOfSectionEx, (PROC*)&Orig_NtUnmapViewOfSectionEx)
CHooker::InterceptAPI32(L"ntdll.dll", "NtQueryVirtualMemory", (PROC)New_NtQueryVirtualMemory, (PROC*)&Orig_NtQueryVirtualMemory)
CHooker::InterceptAPI32(L"ntdll.dll", "NtAreMappedFilesTheSame", (PROC)New_NtAreMappedFilesTheSame, (PROC*)&Orig_NtAreMappedFilesTheSame)
New_CloseServiceHandle::<lambda_970da0514bb48780f4ab491ae35d1ab7>::operator ()
New_ControlService::<lambda_3a67d91a4d58d5a5f9973332cc17845a>::operator ()
New_ChangeServiceConfig2A::<lambda_ea6c8cbd07995b26c0b4f4bdf41a9eec>::operator ()
New_ChangeServiceConfig2W::<lambda_7699db4edee44d4bdc517357f58c5469>::operator ()
New_CreateServiceW::<lambda_3f35bc08f08e29c08cc15927fa14be0e>::operator ()
New_EnumDependentServicesW::<lambda_d3ae41bf9e6bb651675e34aaedec33cf>::operator ()
New_GetServiceKeyNameA
New_GetServiceKeyNameW::<lambda_4e6abaa4036798190de5775c4655ab22>::operator ()
New_GetServiceDisplayNameW::<lambda_ffab40b5589aea36e04c8eeb200f29e7>::operator ()
New_OpenSCManagerA::<lambda_3336d17add3578c13e96f2f7d6f8955c>::operator ()
New_OpenSCManagerW::<lambda_8e35c84c5aa06bfbf42d9dd088e7deb2>::operator ()
New_OpenServiceA::<lambda_b97463f964eccaa115e19630d7622888>::operator ()
New_OpenServiceW::<lambda_c81d13b389175518747ef8d37997388e>::operator ()
New_QueryServiceConfigA::<lambda_c66a2e8671b6e8be6a7876c9ae62985a>::operator ()
New_QueryServiceConfigW::<lambda_8291269c456187f54a5efb1279a12718>::operator ()
New_QueryServiceConfig2A::<lambda_63ef998ecfe52a4685857151e097b366>::operator ()
New_QueryServiceConfig2W::<lambda_11b7a02fa7740ba9d532bbd26b031ba5>::operator ()
New_QueryServiceStatus::<lambda_9d2cba8ba2120761503ad968ba761364>::operator ()
Call to %s made: Ret: 0x%X, ServiceType: 0x%X, CurrentState: 0x%X, Win32ExitCode: 0x%X, ServiceExitCode: 0x%X.
Calling to %s.
Called to %s made: Ret: 0x%X.
New_StartServiceW::<lambda_7bed74b2d1d41eaf4d731a373c9449fb>::operator ()
CHooker::InterceptAPI32(moduleName, "GetServiceKeyNameA", (PROC)New_GetServiceKeyNameA, (PROC*)&Orig_GetServiceKeyNameA)
CHooker::InterceptAPI32(moduleName, "GetServiceKeyNameW", (PROC)New_GetServiceKeyNameW, (PROC*)&Orig_GetServiceKeyNameW)
\REGISTRY\MACHINE\System\CurrentControlSet\Services\%s
_xvm_mtx_%s_0xX
Failed to create mutex for service: %s.
_xvm_evt_shutdown_%s_0xX
Failed to create shutdown event for service: %s.
_xvm_evt_control_%s_0xX
Failed to create control event for service: %s.
_xvm_evt_controlhandlerabouttobecalled_%s_0xX
_xvm_evt_controlhandlercalled_%s_0xX
_xvm_mem_%s_0x%X
Failed to allocate shared memory for service: %s.
CHooker::InterceptAPI32(L"kernel32.dll", "GetThreadContext", (PROC)New_GetThreadContext, (PROC*)&Orig_GetThreadContext)
CHooker::InterceptAPI32(L"kernel32.dll", "ResumeThread", (PROC)New_ResumeThread, (PROC*)&Orig_ResumeThread)
X.exe
avant.exe
Shim: Translating NtSetInformationProcess response from STATUS_NOT_SUPPORTED to STATUS_SUCCESS. Probably ok.
CCompatibilityShims::IgnoreNtSetInformationProcessErrorsShim
liexplore.exe
sxwmon32.dll
CHooker::InterceptAPI32(L"kernel32.dll", "LoadLibraryExW", (PROC)New_LoadLibraryExW, (PROC*)&Orig_LoadLibraryExW)
Can't get PIMAGE_THUNK_DATA from msi.dll
CCompatibilityShims::HookIATModulesShimIf
w3wp.exe
gCHooker::InterceptAPI32(L"advapi32.dll", "LsaManageSidNameMapping", (PROC)New_LsaManageSidNameMapping, (PROC*)&Orig_LsaManageSidNameMapping)
CHooker::InterceptAPI32(L"advapi32.dll", "LogonUserExW", (PROC)New_LogonUserExW, (PROC*)&Orig_LogonUserExW)
CHooker::InterceptAPI32(L"advapi32.dll", "LogonUserExExW", (PROC)New_LogonUserExExW, (PROC*)&Orig_LogonUserExExW)
CHooker::InterceptAPI32(L"kernel32.dll", "CreateProcessAsUserW", (PROC)New_CreateProcessAsUserW, (PROC*)&Orig_CreateProcessAsUserW)
CHooker::InterceptAPI32(L"advapi32.dll", "CreateProcessAsUserW", (PROC)New_CreateProcessAsUserW, (PROC*)&Orig_CreateProcessAsUserW)
CHooker::InterceptAPI32(L"kernelbase.dll", "CreateNamedPipeW", (PROC)New_CreateNamedPipeW, (PROC*)&Orig_CreateNamedPipeW)
CHooker::InterceptAPI32(L"kernel32.dll", "CreateNamedPipeW", (PROC)New_CreateNamedPipeW, (PROC*)&Orig_CreateNamedPipeW)
CHooker::InterceptAPI32(L"httpapi.dll", "HttpCreateRequestQueue", (PROC)New_HttpCreateRequestQueue, (PROC*)&Orig_HttpCreateRequestQueue)
CHooker::InterceptAPI32(L"httpapi.dll", "HttpSetServerSessionProperty", (PROC)New_HttpSetServerSessionProperty, (PROC*)&Orig_HttpSetServerSessionProperty)
yCHooker::InterceptAPI32(L"httpapi.dll", "HttpSetUrlGroupProperty", (PROC)New_HttpSetUrlGroupProperty, (PROC*)&Orig_HttpSetUrlGroupProperty)
tiworker.exe
_xvm_http_0xXX_0xXX_%s
Potential problem with exceed DirectoryName: %s
HttpSetPropertyHook
CHooker::InterceptAPI32(L"ntdll.dll", "KiUserCallbackDispatcher", (PROC)New_KiUserCallbackDispatcher, (PROC*)&Orig_KiUserCallbackDispatcher)
CCompatibilityShims::PrepareWindowsHookPrevention
sqlservr.exe
CHooker::InterceptAPI32(L"kernelbase.dll", "TlsAlloc", (PROC)New_TlsAlloc, (PROC*)&Orig_TlsAlloc)
CCompatibilityShims::PrepareTlsShimIf
CHooker::InterceptAPI32(L"kernel32.dll", "TlsAlloc", (PROC)New_TlsAlloc, (PROC*)&Orig_TlsAlloc)
CHooker::InterceptAPI32(L"user32.dll", "GetShellWindow", (PROC)New_GetShellWindow, (PROC*)&Orig_GetShellWindow)
CCompatibilityShims::PrepareIeShellWindowShimIf
\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s
CHooker::InterceptAPI32(L"ntdll.dll", "NtAllocateVirtualMemory", (PROC)New_NtAllocateVirtualMemory, (PROC*)&Orig_NtAllocateVirtualMemory)
Unexpected attribs: 0x%X.
CDEPShim::_ConvertPageProtectionsToExecutable
NtQueryVirtualMemory failed in DEP shim unexpectedly: 0x%X.
CDEPShim::_ConvertExistingPageProtectionsToExecutable
Virtual protect failed in DEP shim: 0x%X.
Address overflow or invalid page in DEP shim: 0x%X.
CMsvcrtShim::New__dup
CHooker::InterceptAPI32(L"msvcr110.dll", "_dup", (PROC)New__dup, (PROC*)&Orig__dup)
CMsvcrtShim::HookRequiredApisIf
\StringFileInfo\xx\FileDescription
wixstdba.dll
gdiplus.dll
CCrypt32Shim::New_CryptProtectData::<lambda_9a62782635485ffbed67d26da942b7cc>::operator ()
Unsupported SpoonCrypt32 format
CCrypt32Shim::New_CryptUnprotectData::<lambda_6cd6fff02a74c2953a543651b0fd13ea>::operator ()
CHooker::InterceptAPI32(L"crypt32.dll", "CryptProtectData", (PROC)New_CryptProtectData, (PROC*)&Orig_CryptProtectData)
CHooker::InterceptAPI32(L"crypt32.dll", "CryptUnprotectData", (PROC)New_CryptUnprotectData, (PROC*)&Orig_CryptUnprotectData)
CHooker::InterceptAPI32(L"kernel32.dll", "QueryActCtxWWorker", (PROC)New_QueryActCtxW, (PROC*)&Orig_QueryActCtxW)
CHooker::InterceptAPI32(L"kernel32.dll", "CreateActCtxWWorker", (PROC)New_CreateActCtxW, (PROC*)&Orig_CreateActCtxW)
CHooker::InterceptAPI32(L"kernel32.dll", "QueryActCtxW", (PROC)New_QueryActCtxW, (PROC*)&Orig_QueryActCtxW)
CHooker::InterceptAPI32(L"kernel32.dll", "CreateActCtxW", (PROC)New_CreateActCtxW, (PROC*)&Orig_CreateActCtxW)
%s_0x%s.%d.manifest
%s_0x%s.manifest
Remapping %s under the manifest folder to under starup dir: %s. If active activation context was created outside this location, this remapping will not be correct as this is not yet implemented.
Calling TLS callbacks for module %p with reason %d.
Adding module %p to virtual TLS at index %d.
X-X-X-XX-XXXXXX
Unsupported path format given to Split: %s
VMAPICALL(VmCreateDirectory( &hDir, pwcsLeftPath, FILE_GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, &fCreate, 0))
@SQLXENOCODE@
Error 0x%X from call: %s
W32::SHGetFolderPathW( 0, nFolder, 0, SHGFP_TYPE_CURRENT, sResultPath.GetBuffer(MAX_PATH   1))
{A520A1A4-1780-4FF6-BD18-167343C5AF16}
%COMMONPROGRAMW6432%
%USERPROFILE%
%COMMONPROGRAMFILES%
%COMMONPROGRAMFILES(x86)%
\REGISTRY\USER\%s\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
\REGISTRY\USER\%s\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
\REGISTRY\USER\%s\SOFTWARE\CLASSES\Wow6432Node\%s
\REGISTRY\USER\%s_Classes\%s
\REGISTRY\USER\%s\SOFTWARE\CLASSES\%s
\REGISTRY\USER\%s\SOFTWARE\Wow6432Node\CLASSES\%s
Too many alias mappings have been added. Skipping: %s ==> %s
Adding alias mapping from %s to %s
@APPDIR@ replaced with = %s
@APPDIR@ = %s
\REGISTRY\USER\%s
_SetSpecialFolderPathIfEmpty( CSIDL_WINDOWS, *psReplacement)
@WINDIR@ = %s
@SYSDRIVE@ = %s
@PROGRAMFILESX86@ = %s
@PROGRAMFILESCOMMONX86@ = %s
@SYSWOW64@ = %s
@SYSNATIVE@ = %s
@PROGRAMFILES@ = %s
@PROGRAMFILESCOMMON@ = %s
@SYSTEM@ = %s
@PROFILE@ = %s
@PROFILECOMMON@ = %s
@APPDATA@ = %s
@APPDATALOCAL@ = %s
@APPDATALOCALLOW@ = %s
@STARTMENU@ = %s
@PROGRAMS@ = %s
@STARTUP@ = %s
@TEMPLATES@ = %s
@FAVORITES@ = %s
@DESKTOP@ = %s
@DOCUMENTS@ = %s
@MUSIC@ = %s
@PICTURES@ = %s
@VIDEOS@ = %s
@APPDATACOMMON@ = %s
@STARTMENUCOMMON@ = %s
@PROGRAMSCOMMON@ = %s
@STARTUPCOMMON@ = %s
@DESKTOPCOMMON@ = %s
@TEMPLATESCOMMON@ = %s
@FAVORITESCOMMON@ = %s
@DOCUMENTSCOMMON@ = %s
@MUSICCOMMON@ = %s
@PICTURESCOMMON@ = %s
Got raw folders. Time consumed so far: %d ms.
\REGISTRY\USER\.DEFAULT
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Time Zones
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\ProfileList
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Print
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Ports
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Perflib
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\NetworkCards
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Fonts
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\FontMapper
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontDpi
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\FontDpi
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony\Locations
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Telephony\Locations
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Setup
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Group Policy
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes
\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\SystemCertificates
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\EnterpriseCertificates
\REGISTRY\USER\%s_Classes\Wow6432Node
\REGISTRY\USER\%s\SOFTWARE\CLASSES
\REGISTRY\USER\%s_Classes
Got alternative paths. Time consumed so far: %d ms.
@SQLXENOCODE@ = %s
CFolderMapper::SetSqlInstance
Failed to get name info for alternate mapping. Error: 0x%X, Path: %s
Open file info handle for alternate mapping not found. Error: 0x%X, Path: %s
Failed to open file info handle for alternate mapping. Error: 0x%X, Path: %s
CFolderMapper::_GetDFSSharePathIf
NtQuerySymbolicLinkObject failed (0x%X), using default device path.
NtQuerySymbolicLinkObject failed to get the size (0x%X), using default device path.
NtOpenSymbolicLinkObject failed (0x%X), using default device path.
NtOpenDirectoryObject failed (0x%X), using default device path.
Unexpected NT root for a DFS network share: %s.
Unexpected path: %s
\??\%c:
Currently don't support more than 4 virtual drives. Tried to add %s.
Failed to create directory in CAtomicFile. Path: %s
Failed to get device info for directory containing CAtomicFile. Path: %s
Using non-atomic mechanism for network share to location: %s
Target file is not writable in CAtomicFile. Path: %s
Failed to create tmp file in CAtomicFile. Path: %s
Failed to create file stream in CAtomicFile. Path: %s
Failed to create file section in CAtomicFile. Path: %s
Failed to open file in CAtomicFile. Path: %s
Failed to get file size in CAtomicFile. Path: %s
@APPDIR@\__Xenocode\%s
@PROGRAMFILES@\Xenocode\%s
Unable to load shim %s due to %d
Unable to locate shim %s, export %s due to %d
Unable to modify memory protect flags in CUtil::WriteProtectedMemory, gle: %d
Cross-region protected writes not yet supported
Unable to query memory protect flags in CUtil::WriteProtectedMemory, status: 0x%X
Regular expression matcher failed to parse: %s, Original pattern: %s, Error returned: %n
_pSeqStream->Read( rsString.GetBuffer(cwc), cwc*sizeof(WCHAR), 0)
_pSeqStream->Read( rsString.GetBuffer(cc), cc, 0)
pSeqStream.QueryInterface(&_pBaseStream)
Error mapping view in CNtMapper: 0x%X
Error mapping view in CNaiveNtMapper: 0x%X
Unable to open process 0x%X due to gle: %d.
IStream::CopyTo called with unsupported params
_IterateHelper( eMapperReadAccess, cb.QuadPart, 0, _CopyToData, pstm)
"%s" %s
IsCurrentUserInAdministratorsGroup::<lambda_2179f77a211af9bd662a768caed054fe>::operator ()
Start of diagnostic log for process with command line: %s, current pid: 0x%X
Done Setting some windows apis. Time consumed so far: %d ms.
Got OS info. Time consumed so far: %d ms.
Got parent info. Time consumed so far: %d ms.
Initialized folder mapper. Time consumed so far: %d ms.
11.8.723
Application executing with VM version: %s
CSandbox::FormatSandboxPath( g_vm.GetFolderMapper(), CProcessSettings::SandboxPath(), CProcessSettings::SandboxHash(), CProcessSettings::RegCacheRoot(), CProcessSettings::SpoonCachePath())
Extracted configuration. Time consumed so far: %d ms.
Failed to attach console to parent: %x
Failed to reopen stdout %x
Failed to reopen stderr %x
_folderMapper.MakeNtPath(sCurrentDirectory, sNtCurrentDirectory)
Stubexe module is not a valid NT image! Indicates some sort of application corruption.
CUtil::SetCurrentPosition(_pBootstrapExe, _cbOffsetPayload)
_config.LoadXLayer(eLoadBootstrapSettings, _pBootstrapExe)
_config.LoadXLayer(eLoadSystemLayer, _pBootstrapExe)
Loading /XEntry settings: %s.
_config.LoadXLayer(flags, _pBootstrapExe)
VMAPICALL(VmGetSpecialFolder( CSIDL_SYSTEM, _strSystem32.GetBuffer(cwc), &cwc))
Additional layer path: %s
Loading additional xlayer: %s.
Specified xlayer: %s could not be loaded because of 0x%X.
Didn't find required xlayer %s in default search pattern %s.
Loading /XEntry xlayer: %s.
_config.LoadXLayer(eLoadNonSystemLayers | eLoadEntryLayers, _pBootstrapExe)
Trying to add layer: %s
reader.Init(pStream)
reader.ReadULONG(signature)
Unsupported vm version
reader.ReadULONG(seedOriginal)
reader.ReadULONG(seedDataCompare)
reader.ReadULONG(seedBogusCompare)
reader.ReadULONG(cbFullSizeHashed32)
reader.ReadULONG(cbCompressedSizeHashed32)
reader.ReadULONG(cbFullSizeHashed64)
reader.ReadULONG(cbCompressedSizeHashed64)
reader.ReadULONG(cbFullSizeHashed)
reader.ReadULONG(cbCompressedSizeHashed)
_config.LoadXLayer(loadFlags, pStream)
Failed to add keep-alive notification handle. Gle: %d.
Failed to add reg-flush timer to timer queue. Gle: %d.
Finished extra init. Time consumed so far: %d ms.
ShellExecuteFile( rStartupFile.GetStartupDir(), rStartupFile.GetStartupFile(), L"open", rStartupFile.GetCommandLine(), 0, lastFile ? eWaitForAll : eNoWaitContinue, lastFile)
ShellExecuteFile( CProcessSettings::StartupDir(), CProcessSettings::StartupFile(), CProcessSettings::StartupVerb(), CProcessSettings::CommandLineArguments(), CProcessSettings::CurrentDirectory(), fWaitSetting, TRUE)
CSystemManager::ShellExecuteChildProcess
Launching startup file %s, verb %s, params %s, cur-dir %s, Wait for Return %d
CSystemManager::ShellExecuteFile
ShellExecuteEx failed for file: %s.
Failed to add wait-for-lastproc timer to timer queue. Gle: %d.
_CheckThatStartupExeMatchesStubExe(rfCanRun)
Unable to open file the startup module: %s.
Unable to create secion of startup module: %s.
Unable to map view of startup module: %s.
_folderMapper.MakeNtPath(CProcessSettings::StartupPath(), sNtPathToStartupFile)
CSystemManager::_CheckThatStartupExeMatchesStubExe
Startup file: %s not a real NT Image.
_GetRawImageData(pwcsStartupExe, &pbData, &cbData)
Startup file out-of-range of reserved region in child process: %s.
.local
Font file %s failed to load with error: %d.
Removing IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG entry from startup module %s to match stubexe.
Failed to create process default activation context. Gle: %d
mscoree.dll
Unable to load mscoree.dll due to 0x%X.
Unable to load a dependency module %s to the startup module %s due to error: 0x%X.
Unable to get module fullpath for %s.
Unable to create activation context for module %s.
Unable to located dependency module %s in loader list.
Unable to activate actctx for %s.
Error init tls for module: %s.
_LoadStaticDependenciesRecursive (pLdrData, (PBYTE)hImported, pwcsDllLoadPath)
Unable to deactivate actctx for %s.
Potential TLS leak for module %s!!!
Ordinal: %d
%s:%s
Unable to locate imported method: %s in module: %s while loading startup module: %s.
Activating actctx for: %s
CSystemManager::_ExecuteDllInitRoutinesRecursive
Running entry point with reason %d for: %s
Deactivating actctx for: %s
Any error occured while processing dll-init routines for: %s
Original exe does not have entry point. 0x01 File: %s.
Original exe does not have entry point. 0x02 File: %s.
_folderMapper.MakeNtPath(CProcessSettings::StartupPath(), sNtPathToStartupFile, FALSE)
CSystemManager::PrimeAndRunExe
_LoadStaticDependenciesRecursive(pLdrData, _pbMappedImage, pPeb->ProcessParameters->DllPath.Buffer)
_ExecuteDllInitRoutinesRecursive(DLL_PROCESS_ATTACH)
Had error 0xX in PrimeAndRunExe
OS Information - Version %d.%d.%d, SP: %d.%d, Suite: 0x%X, Platform: 0x%X, ProductType: 0x%X, Text: %s.
Wrapping File handle: 0x%X.
Wrapping Key handle: 0x%X.
CCompatibilityShims::PrepareTlsShimIf(CProcessSettings::StartupFile())
_HookWindowsApis ()
CCompatibilityShims::PrepareWindowsHookPrevention()
CCompatibilityShims::PrepareIeShellWindowShimIf()
Got following current directory from proc: %s
Error opening file to stub exe: %s, error: 0x%X.
CSystemManager::OpenSectionToStubExe
Error opening section to stub exe: %s, error: 0x%X.
spoon.exe
turbo.exe
__xnospawnvm_0x%x
Creating process %s. IsExternal: %d, SpawnVm: %d, AfterExceptionLookup: %d
Module 0x%X, not valid PE when looking for procedure: %s
Called for other process' window (%u) (current process=%u)
Telling the process to exit gracefully (causedByUserAction=%d, isService=%d, isConsoleApp=%d)
In EnumWindows call
ADVAPI32.DLL
COMCTL32.DLL
CRYPT32.DLL
GDI32.DLL
IERTUTIL.DLL
KERNEL32.DLL
KERNELBASE.DLL
MSASN1.DLL
MSVCRT.DLL
NORMALIZ.DLL
NSI.DLL
NTDLL.DLL
OLE32.DLL
OLEAUT32.DLL
RPCRT4.DLL
SECUR32.DLL
SHELL32.DLL
SHLWAPI.DLL
USER32.DLL
URLMON.DLL
WININET.DLL
WS2_32.DLL
WS2HELP.DLL
Found restricted dll %s in system32 or syswow64. We require the startup exe launch in child process.
Setting special directory to merge isolation %s
Setting special registry to writecopy isolation %s
Overridding file isolation for %s to %d
VMAPICALL(VmGetSpecialFolder( CSIDL_WINDOWS, _strVirtualSxsPath.GetBuffer(cwc), &cwc))
Dependant service %s didn't return config with gle: 0x%X.
Dependant service %s didn't return status with gle: 0x%X.
Dependant service %s didn't start with ExitCode: 0x%X, ServiceExitCode: 0x%X.
Dependant service %s didn't start with gle: 0x%X.
Dependant service %s didn't start within 30 seconds. Current state: 0x%X, ExitCode: 0x%X, ServiceExitCode: 0x%X.
Auto-start service %s isn't one of the supported types. Type: 0x%X.
_xvm_evt_startupcompleted_0xX
psapi.dll
goleaut32.dll
rpcrt4.dll
version.dll
comctl32.dll
__VMX_0xX
Failed to fault-in reg key segment. Error: 0x%X, Path: %s
CVmApi::VmCreateKeyEx
Failed to fault-in directory path segment. Error: 0x%X, Path: %s
Unable to delete path %s due to 0x%X
VmGetVolumeInformation failed openeing the file %s: 0x%X
VmGetVolumeInformation failed querying FileFsVolumeInformation for %s: 0x%X
VmGetVolumeInformation failed querying FileFsDeviceInformation for %s: 0x%X
Unable to delete path element %s due to 0x%X
%s\%s
Converting global windows hook to just current thread. Could result application compatibility issues.
New_SetWindowsHookExA
New_SetWindowsHookExW
CSystemManager::_HookWindowsApis
ACHooker::InterceptAPI32(L"user32.dll", "FindWindowA", (PROC)New_FindWindowA, (PROC*)&Orig_FindWindowA)
CHooker::InterceptAPI32(L"user32.dll", "FindWindowW", (PROC)New_FindWindowW, (PROC*)&Orig_FindWindowW)
CHooker::InterceptAPI32(L"user32.dll", "FindWindowExA", (PROC)New_FindWindowExA, (PROC*)&Orig_FindWindowExA)
CHooker::InterceptAPI32(L"user32.dll", "FindWindowExW", (PROC)New_FindWindowExW, (PROC*)&Orig_FindWindowExW)
CHooker::InterceptAPI32(L"user32.dll", "SetWindowTextA", (PROC)New_SetWindowTextA, (PROC*)&Orig_SetWindowTextA)
CHooker::InterceptAPI32(L"user32.dll", "SetWindowTextW", (PROC)New_SetWindowTextW, (PROC*)&Orig_SetWindowTextW)
CHooker::InterceptAPI32(L"user32.dll", "GetWindowTextA", (PROC)New_GetWindowTextA, (PROC*)&Orig_GetWindowTextA)
CHooker::InterceptAPI32(L"user32.dll", "GetWindowTextW", (PROC)New_GetWindowTextW, (PROC*)&Orig_GetWindowTextW)
CHooker::InterceptAPI32(L"user32.dll", "SetWindowsHookExW", (PROC)New_SetWindowsHookExW, (PROC*)&Orig_SetWindowsHookExW)
CHooker::InterceptAPI32(L"user32.dll", "SetWindowsHookExA", (PROC)New_SetWindowsHookExA, (PROC*)&Orig_SetWindowsHookExA)
CHooker::InterceptAPI32(L"user32.dll", "CreateWindowExA", (PROC)New_CreateWindowExA, (PROC*)&Orig_CreateWindowExA)
WCHooker::InterceptAPI32(L"user32.dll", "CreateWindowExW", (PROC)New_CreateWindowExW, (PROC*)&Orig_CreateWindowExW)
CHooker::InterceptAPI32(L"user32.dll", "CreateWindowA", (PROC)New_CreateWindowA, (PROC*)&Orig_CreateWindowA)
CHooker::InterceptAPI32(L"user32.dll", "CreateWindowW", (PROC)New_CreateWindowW, (PROC*)&Orig_CreateWindowW)
\REGISTRY\USER\%s\Environment
pipe
Module 0x%X, not valid PE when looking for RVA: 0x%X
Failed to query existing file information. Error: 0x%X, Path: %s
CNtSystemVirtual::NtCreateNamedPipeFile
.config
Error creating new file for virtual directory rename (0x%x): %s
Error iterating children during virtual directory rename (0x%x): %s
Path skipped during virtual directory move... handled: %d, status: 0x%x, path: %s
Error moving child '%s' to '%s' during virtual directory rename (0x%x)
Error removing old directory during virtual directory rename (0x%x): %s
\shallow\%s_0x%s%s
Shallow path available only for full-iso virtual files: %s
Shallow path unavailable for non-handled path: %s
Couldn't get volume info handle on current drive %s due to error: 0x%X. Using bootstrap path %s instead.
Failed to open volume information handle for virtual file. Error: 0x%X, Path: %s
Faulting in file: %s. Use roaming: %d.
Unexpected path prefix: "%s"
Unable to open file for faulting-in. Error: 0x%X, Path: %s.
Unable to create section of fault-in file. Error: 0x%X, Path: %s.
Unable to read current position when faulting in write-copy file. Might not have permission to get position. Error: 0x%X, Path: %s.
Unexpected error from file stream. Error: 0x%X, Path: %s
Failed to set file stream position. Error: 0x%X, Path: %s
Unable to obtain file stream. Error: 0x%X, Path: %s
Called FindFirstFile with unsupported params. FileHandle: 0x%X, Event: 0x%X, Apc: 0x%X, FileInformationClass: 0x%X, Path: %s.
Very large files not supported. Tried to access: %s.
decompStream.Init (pMemStream)
decryptStream.Init (&decompStream, _seed)
_cacheFileMemory.GetData(item, (void**)&pbData, &cbData)
Corrupt path parts in CRemotedFileObject::Init: %s, %s
Unsupported rename operation
Unsupported RootDir in rename file operation
Unsupported rename file operation: %s
FileFsDriverPathInformation unsupported
Duplicating handle into virtual process %x, obj path %s.
Duplicating handle into a non-virtual process; obj path %s.
We don't expect to not handle a cross-proc duplicated virtual file %s, status: 0x%0X.
We don't expect to not handle a cross-proc duplicated object %s, type: 0x%X.
Dropping NtSetSecurityObject on the floor. Usually not a problem. Use enableLegacySecurityPassthrough="True" otherwise.
Need to implement duplicate handle to another process for %s.
Can only launch 32 and 64bit child process %s in VM.. just launching outside..
\??\@WINDIR@\System32\windowspowershell\v1.0\powershell.exe
\??\@WINDIR@\SysWOW64\windowspowershell\v1.0\powershell.exe
CNtSystemVirtual::NtCompactKeys
CNtSystemVirtual::NtLoadKey
CNtSystemVirtual::NtLoadKey2
CNtSystemVirtual::NtLoadKeyEx
CNtSystemVirtual::NtLockRegistryKey
CNtSystemVirtual::NtQueryOpenSubKeys
CNtSystemVirtual::NtQueryOpenSubKeysEx
CNtSystemVirtual::NtReplaceKey
CNtSystemVirtual::NtRestoreKey
CNtSystemVirtual::NtSaveKey
CNtSystemVirtual::NtSaveKeyEx
CNtSystemVirtual::NtSaveMergedKeys
%UserProfile%
CNtSystemVirtual::NtUnloadKey
CNtSystemVirtual::NtUnloadKey2
CNtSystemVirtual::NtUnloadKeyEx
Failed to open root regkey node. Error: 0x%X, Path: %s
CNtSystemVirtual::FaultInRegKeysIf
Failed to faulted-in value: %s for key: %s. Error: 0x%X
Failed to fault-in key segment. Error: 0x%X, Path: %s
Failed to query existing reg key information. Error: 0x%X, Path: %s
CNtSystemVirtual::AddExistingRegKey
Dropping DesiredAccess from 0x%X to 0x%X for faulting in key %s
CVirtualRegKey::Init
NtRenameKey not implemented for virtual registry keys, Path: %s
CVirtualRegKey::NtRenameKey
Called QueryKey with unsupported class. KeyInformationClass: 0x%X, Length: 0x%X, Path: %s.
CVirtualRegKey::NtQueryKey
Called EnumerateKey with unsupported class. KeyInformationClass: 0x%X, Length: 0x%X, Path: %s.
CVirtualRegKey::_NtEnumerateKeyHelper
Failed to get cached info for %s.
CVirtualRegKey::_CheckCacheValidityUpdateIf
Faulting in cached copy of: %s.
CVirtualRegKey::_lokFaultInSandboxIf
Dropping _DesiredAccess from 0x%X to 0x%X for faulting in %s
Failed to open faulted-in virtual key with desired access. Error: 0x%X, Path: %s
Possible issue with KEY_WOW64_64KEY | KEY_WOW64_32KEY access bits on key: %s. Check if this virtual reg key is merge isolation; try setting to full.
CWriteCopyRegKey::Init
Failed to make path string %s uppercase gle: 0x%X.
Failed to make path string %s lowercase gle: 0x%X.
Faulting in section backed by file: %s. Write operation: %d.
Error mapping in image from stream.. Status: 0x%X.
Failed to set correct protections for image section. Desired access: 0x%X, Address: 0x%X, Size: 0x%X, GLE: %d, Using default.
File %s is not real NT Image.. Status: 0x%X.
NtQueryVirtualMemory with info %d on section %s.
Called NtCreateSection on a non file. Not implemented. FileHandle: 0x%X, Path: %s.
Unsupported call to ChangeServiceConfig2A attempted. We are returning success anyway, but this might cause problems.
Unsupported call to ChangeServiceConfig2W attempted. We are returning success anyway, but this might cause problems.
CNtSystemVirtual::GetServiceKeyNameA
CNtSystemVirtual::GetServiceKeyNameW
Configuration type %d not implemented
Starting service %s with more than %d arguments is not yet implemented.
sc.exe
net.exe
net1.exe
Unable to start msiexec as non-admin
CreateProcessW failed in _LokDoStartService with Gle: %d, Startup: %s, Server: %s
Couldn't convert %s to nt path, will try next layer
Unexpected sxs cache path: %s
Unable to write default manifest file, hr: %x
Commit failed when writing default manifest file, status: %x
Unable to write default manifest file, status: %x
Unsupported manifest flags sent. Flags: 0x%X, ResourceStr: %s, ResourceInt: 0x%X, Path: %s
PIPE
Failure: 0x%X in CEncryptStream::Write, _pBaseStream->Write()
End tag of %s element not found
Expecting end tag of element %s
End tag does not correspond to %s
End tag not completed for element %s
Failure: 0x%X in CDecompressStream::Write, inflate()
Failure: 0x%X in CDecompressStream::Write, _pBaseStream->Write()
Wuser32.dll

UltraISO.exe_3304_rwx_03200000_00001000:

.text
`.rdata
@.data
.trace
@.rsrc
@.reloc

UltraISO.exe_3304_rwx_10000000_00001000:

.text
`.rdata
@.data
.rsrc
@.reloc

UltraISO.exe_3304_rwx_6B194000_0000B000:

.?AVCRexPortHandle@@
.?AUIRexPortHandle@@
.?AVCRexSocketMsg@@
.?AVCHttpParser@@
.?AVCHttpRexClient@@


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Data\UltraISO Premium\local\temp\ce8_0x00400000.tls (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 (1480 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77 (1504 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\024823B39FBEACCDB5C06426A8168E99_4EB65D2EF896F9A30A10A7F798B64304 (472 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77 (727 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 (471 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar6DE0.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\001836CEC9B3850D003670B9D75C6973 (416 bytes)
    C:\Data\UltraISO Premium\xsandbox.bin.__tmp__ (24 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\024823B39FBEACCDB5C06426A8168E99_4EB65D2EF896F9A30A10A7F798B64304 (696 bytes)
    C:\Data\UltraISO Premium\local\stubexe\0xFC42E76D3189D234\UltraISO.exe.__tmp__ (21 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\001836CEC9B3850D003670B9D75C6973 (526 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab6DDF.tmp (51 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now