MD5: ff0e26370a68a0acb16dde3137f6e3dc
SHA1: 632329c889e87e76fe387540790d261d9b41b50d
SHA256: 966917d6e1105aaa74adad4149f8f04c33053e0f3087fa126523b7ebb4d9c081
SSDeep: 98304:u2yDX8b0jARIip0IMewJS1dh9ooXujJH7govTj0sb3JHn9nnOwgAdAEG:u2r5OipT AWoXujJbfP0sb1gwgAyE
Size: 4478464 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2017-03-28 03:50:32
Analyzed on: Windows7 SP1 32-bit

Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

WindowsCleintc.exe:3636
7818dbfd-e4e5-4941-8ccd-119c736fa192.exe:3944
WScript.exe:536
mpsetup.exe:3932
%original file name%.exe:260
WindowsClient.exe:1100
WindowsClient.exe:3712

The Backdoor injects its code into the following process(es):

WindowsCleintc.exe:892
notepad.exe:2132
nchsetup.exe:3052

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process WindowsCleintc.exe:3636 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar5773.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A (212 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ih8sn0w_com[1].htm (331 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_0846D508E2BCE39E6E88CB882AB20A90 (660 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (325 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\828298824EA5549947C17DDABF6871F5_6B5C8B321CA02275A82E95FA81D6DE62 (1068 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_6B5C8B321CA02275A82E95FA81D6DE62 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab5772.tmp (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08 (1542 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_0846D508E2BCE39E6E88CB882AB20A90 (463 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_ABF444171F51EB141946978F75755905 (1464 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (876 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\v1[1].js (24924 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A (893 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1480 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_ABF444171F51EB141946978F75755905 (1 bytes)

The Backdoor deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar5773.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab5772.tmp (0 bytes)

The process 7818dbfd-e4e5-4941-8ccd-119c736fa192.exe:3944 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ce8036a4-9d31-4bb1-9078-dfd8b09bce3f\938418274.vbs (511 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ce8036a4-9d31-4bb1-9078-dfd8b09bce3f\mpsetup.exe (18795 bytes)

The process WScript.exe:536 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ce8036a4-9d31-4bb1-9078-dfd8b09bce3f\mpsetup.exe (48 bytes)

The Backdoor deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ce8036a4-9d31-4bb1-9078-dfd8b09bce3f\938418274.vbs (0 bytes)

The process mpsetup.exe:3932 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.dat (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.cab (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.cab (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.exe (61481 bytes)

The Backdoor deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.cab (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.cab (0 bytes)

The process %original file name%.exe:260 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp994424152.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ih8sn0w_com[1].htm (178 bytes)
C:\ProgramData\WindowsClient.exe (219797 bytes)

The process WindowsClient.exe:1100 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WindowsCleintc.exe (32727 bytes)

The process WindowsClient.exe:3712 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3CD4.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A (312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab564E.tmp (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3C06.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ih8sn0w_com[1].htm (331 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3C07.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7818dbfd-e4e5-4941-8ccd-119c736fa192.exe (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08 (1944 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar564F.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A (893 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1720 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3CD3.tmp (51 bytes)

The Backdoor deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3CD4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab564E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3C06.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3C07.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar564F.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3CD3.tmp (0 bytes)

Registry activity

The process WindowsCleintc.exe:3636 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\WindowsCleintc_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\WindowsCleintc_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13]
"Blob" = "0F 00 00 00 01 00 00 00 14 00 00 00 5B CA A1 C2"

[HKLM\SOFTWARE\Microsoft\Tracing\WindowsCleintc_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\WindowsCleintc_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\WindowsCleintc_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\WindowsCleintc_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\WindowsCleintc_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\WindowsCleintc_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\WindowsCleintc_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\WindowsCleintc_RASAPI32]
"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"DAC9024F54D8F6DF94935FB1732638CA6AD77C13"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process WindowsCleintc.exe:892 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WindowsCleintc.exe"

The process 7818dbfd-e4e5-4941-8ccd-119c736fa192.exe:3944 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Backdoor deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process WScript.exe:536 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Backdoor deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process mpsetup.exe:3932 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Backdoor deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:260 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\ff0e26370a68a0acb16dde3137f6e3dc_RASMANCS]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\ff0e26370a68a0acb16dde3137f6e3dc_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\ff0e26370a68a0acb16dde3137f6e3dc_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ff0e26370a68a0acb16dde3137f6e3dc_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ff0e26370a68a0acb16dde3137f6e3dc_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\ff0e26370a68a0acb16dde3137f6e3dc_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ff0e26370a68a0acb16dde3137f6e3dc_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ff0e26370a68a0acb16dde3137f6e3dc_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\ff0e26370a68a0acb16dde3137f6e3dc_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process WindowsClient.exe:1100 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WindowsCleintc.exe"

The Backdoor adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "C:\Windows\system32\userinit.exe,C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WindowsCleintc.exe"

The Backdoor deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process WindowsClient.exe:3712 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\WindowsClient_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\VB and VBA Program Settings\Microsoft\Once]
"7818dbfd-e4e5-4941-8ccd-119c736fa192" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\WindowsClient_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\WindowsClient_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\WindowsClient_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\WindowsClient_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\WindowsClient_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\WindowsClient_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3F 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\WindowsClient_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\WindowsClient_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: NCH Software
Product Name: MixPad
Product Version: 4.27
Legal Copyright: NCH Software
Legal Trademarks:
Original Filename: MixPad.exe
Internal Name: MixPad
File Version: 4.27
File Description: MixPad Multitrack Recording Software
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://ih8sn0w.com/	159.203.23.59
hxxp://apps.digsigtrust.com/roots/dstrootcax3.p7c
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf/EFWCFiRACEAoBQUIAAAFThXNqC4Xspwg=	192.35.177.195
hxxp://e6845.dscb1.akamaiedge.net/crls/secureca.crl
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8=
hxxp://e8218.dscb1.akamaiedge.net/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg==
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEEBxiaopEohrDGoDiNJShXU=
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCF5jSIGtXuy5
hxxp://gpla1.wac.v2cdn.net/CRL/Omniroot2025.crl
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	178.18.231.75
hxxp://g.symcd.com/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg==	23.46.123.27
hxxp://crl.geotrust.com/crls/secureca.crl	23.46.117.163
hxxp://apps.identrust.com/roots/dstrootcax3.p7c	192.35.177.64
hxxp://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8=	23.46.123.27
hxxp://ss.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEEBxiaopEohrDGoDiNJShXU=	23.46.123.27
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCF5jSIGtXuy5	216.58.214.238
hxxp://cdp1.public-trust.com/CRL/Omniroot2025.crl	93.184.220.20
player.twitch.tv	23.64.236.196
fonts.googleapis.com	216.58.214.234

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf/EFWCFiRACEAoBQUIAAAFThXNqC4Xspwg= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: isrg.trustid.ocsp.identrust.com

HTTP/1.1 200 OK

Date: Thu, 20 Apr 2017 21:51:48 GMT

Content-transfer-encoding: Binary

last-modified: Thu, 20 Apr 2017 10:28:53 GMT

ETag: "d0216e5074d1f9b6d40488504abb7a768b8e151c"

expires: Fri, 21 Apr 2017 10:28:53 GMT

cache-control: max-age=43200,public,no-transform,must-revalidate

Content-Type: application/ocsp-response

Content-Length: 1399
0..s......l0..h.. .....0.....Y0..U0........ ..zJ.!.I...u(......2017042
0102853Z0s0q0I0... ........o.hMC..Hb... =G,../.......{,q...K.u...`....
...AB...S.sj.........20170420102853Z....20170421102853Z0...*.H........
.....:..f....h.. .?......p.'..1T.....:......['...q.......@&.j..h.....-
%.KG..F.Q..).g...xR.].G..F.i.....j.D..P.....C.\..p.....#...u$.(...)m%6
.-6.t....Si......_......o.S.}...6(.ii2.v.3`.....7..z....G.H.j...`.....
:G...$..1..22.8...e/X.K.9>...i=..g.i...|-{@...t...F....0...0...0..|
............p.GT5.P.~d:@0...*.H........0?1$0"..U....Digital Signature 
Trust Co.1.0...U....DST Root CA X30...160511163807Z..170511163807Z0..1
.0...U....US1 0...U....Digital Signature Trust1.0...U....DST1.0...U...
.DST CA X3 OCSP Signer1$0"..*.H........pki-ops@IdenTrust.com0.."0...*.
H.............0.........C#......}.>.....r....P..%b.b....mh...O....c
.?..1_...O....9.K.6I.#O..6\..`..`~.5..&.!y....;..Y.Fcob.}....nz..V....
...F...{.2.4....AIt........s..lgQ..v...P7....)dk..`...../{..^N...%-../
-.z.|w.9..TFw.(...g....K=6..xr.B9..d{..Lf......T....t.........1ne.7.t.
........F0D0...U.......0.0...U.%..0... .......0...U...........0... ...
..0......0...*.H.............9...e......I..........=|..op.#..u.2.....~
<....QGe.. 1w..>.d8~.?.Q..ZV...g.@...6>L.7{t.[.....6P...3..ci
.d.._...a....3...#.M.E..N0..:4U-H}.p_d..<..f........:J....t.......{
.........jt.I>"....S..... ...C6...E.@y.p........a..0E......T..3cR[.
..8..{.fH.)8.m;.......
<<< skipped >>>

GET /crls/secureca.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 13 Oct 2016 09:30:22 GMT

If-None-Match: "b6a46da3cf1aa70c10b101b12c9733f4:1476351022"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.geotrust.com

HTTP/1.1 200 OK

Server: Apache

ETag: "71c1ad19048fd77f1dbf7a14ac6de19d:1492723823"

Last-Modified: Thu, 20 Apr 2017 21:30:23 GMT

Date: Thu, 20 Apr 2017 21:58:35 GMT

Content-Length: 325

Connection: keep-alive

Content-Type: application/pkix-crl
0..A0..0...*.H........0N1.0...U....US1.0...U....Equifax1-0 ..U...$Equi
fax Secure Certificate Authority..170420212300Z..170430212300Z0,0....%
...020514181157Z0.....3..020515130611Z0...*.H............]....dJ.g.. .
..rv._.y..}..o@u....!..e..x...(w.....R.9.)hlz.. .}...b..3...i.....5...
1...XB...a%.........}s..A..}......!..<j....E.HTTP/1.1 200 OK..Serve
r: Apache..ETag: "71c1ad19048fd77f1dbf7a14ac6de19d:1492723823"..Last-M
odified: Thu, 20 Apr 2017 21:30:23 GMT..Date: Thu, 20 Apr 2017 21:58:3
5 GMT..Content-Length: 325..Connection: keep-alive..Content-Type: appl
ication/pkix-crl..0..A0..0...*.H........0N1.0...U....US1.0...U....Equi
fax1-0 ..U...$Equifax Secure Certificate Authority..170420212300Z..170
430212300Z0,0....%...020514181157Z0.....3..020515130611Z0...*.H.......
.....]....dJ.g.. ...rv._.y..}..o@u....!..e..x...(w.....R.9.)hlz.. .}..
.b..3...i.....5...1...XB...a%.........}s..A..}......!..<j....E...

GET /MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg== HTTP/1.1

Cache-Control: max-age = 564348

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 12 Oct 2016 22:33:53 GMT

User-Agent: Microsoft-CryptoAPI/6.1

Host: g.symcd.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1377

content-transfer-encoding: binary

Cache-Control: max-age=552880, public, no-transform, must-revalidate

Last-Modified: Thu, 20 Apr 2017 07:31:59 GMT

Expires: Thu, 27 Apr 2017 07:31:59 GMT

Date: Thu, 20 Apr 2017 21:58:40 GMT

Connection: keep-alive
0..]......V0..R.. .....0.....C0..?0......V.T'S...q..."...zr.*..2017042
0073159Z0f0d0<0... ..........9.....yP..`...<.......*.A.....>U
....... ...:.....20170420073159Z....20170427073159Z0...*.H............
.J.....i~.HH..%..@...../P..F..=.0....ntM/.#..&."........I.Z2..._...../
.JM.~...........W....J..I.u..rZ.@g> ..Q{..y._...(....n.^.5..0va3..~
?..H..-L|7.$....).6.L...8...q ..d..`.R.6$.4i.v.....d .....t..Y.t......
..j.8.k...../.qE. .=.......6#F!......z.n-.?@..1..p....0...0...0..s....
........ ...y..^..g0...*.H........0B1.0...U....US1.0...U....GeoTrust I
nc.1.0...U....GeoTrust Global CA0...161208112535Z..171214112535Z02100.
..U...'GeoTrust Global CA TGV OCSP Responder 50.."0...*.H.............
0...............S....!....,.t.?....d...M@.._.=.S..,."......Gdv._c..D1.
.N'E.:.....a2.......{/rD. .c.2..P...!.....Xn..}....{{.zI9.Y....../....
.;.......fu..,...B._o..B..g....o........?Y\.?...y.H*..]yi.....3.......
F.6.....Q.........{B..19..Kz...\z...P..._...-!.....'.Ym........0..0...
U.#..0....z.h.....d..}.}e...N0... .....0......0...U.%..0... .......0..
.U...........0...U.......0.0"..U....0...0.1.0...U....TGV-OFF-570...*.H
..............md.....yV{......y:5..@l#..5.......o..X....,r}......i..3.
.o.e...e5..@..H/Q..;.vd..?.j.m....../hv..A.......g.......a.....G..\.'*
.b..>.....L.Y.To<.@>...&1..9.w.....N*Au.e.....b..K...PO47.J..
...{.C\....G..0/.a.Eo.`z.<;IA...  #.''.CG..K@7z..7.\_..'.]q.f._.WN.
...
<<< skipped >>>

GET /CRL/Omniroot2025.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sat, 16 Nov 2013 06:15:02 GMT

If-None-Match: "200da-5b6-4eb453c33260e"

User-Agent: Microsoft-CryptoAPI/6.1

Host: cdp1.public-trust.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/x-pkcs7-crl

Date: Thu, 20 Apr 2017 21:59:05 GMT

Etag: "200c0-d9f-54ce6d01eb69d"

Last-Modified: Tue, 11 Apr 2017 16:45:01 GMT

Server: ECS (fcn/418B)

X-Cache: HIT

Content-Length: 3487
0...0......0...*.H........0Z1.0...U....IE1.0...U....Baltimore1.0...U..
..CyberTrust1"0 ..U....Baltimore CyberTrust Root..170411160103Z..17070
7160103Z0...0....'k...120111220757Z0....'k...120111220847Z0....'.C..13
0130174530Z0....'....130807173059Z0....'....140122185220Z0....'....140
212185542Z0....'yr..150701184507Z0....'#...100303201301Z0....''q..1004
14175202Z0....'L...110224181251Z0....'Pn..110309142119Z0....'....10021
6203312Z0....'#...100303201213Z0....'3#..100908172555Z0....''n..101208
175627Z0....''m..101208175749Z0....''p..101208175916Z0....'H...1101141
62156Z0#...'X>..110815145134Z0.0...U.......0#...'Z2..110818184101Z0
.0...U.......0....'g...120111164333Z0....'g...120111164409Z0....'g...1
20111164519Z0....'....100216213519Z0....''s..100414175225Z0....''k..10
0414181839Z0....'3"..100908172705Z0....'3$..100908172728Z0....''o..101
208175645Z0....''l..101208175727Z0....'H...110119195142Z0....'Nz..1103
02154045Z0....'c...111207220933Z0....'g...120111164445Z0....''r..10041
4175143Z0....'8...101012182723Z0....'e...120111163041Z0....'VJ..110714
160903Z0....'s...130123162633Z0....'....130904190524Z0....'....1310242
14319Z0....'....140129172435Z0....'....140129172453Z0....'....13102421
4310Z0....'....131101204601Z0....'....140219171632Z0....'.^..140409155
638Z0....'i...140709171930Z0....'/:..141119193302Z0....'J...1506031846
05Z0....'k...150603185020Z0....'k...150603185058Z0....'k...15060318513
1Z0....'k...120111220827Z0....'8...140716191203Z0....'....131219195909
Z0....'....140219171545Z0....'k...151105070000Z0....'q...160126173
<<< skipped >>>

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCF5jSIGtXuy5 HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com

HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Date: Tue, 18 Apr 2017 15:07:25 GMT

Expires: Sat, 22 Apr 2017 15:07:25 GMT

Server: ocsp_responder

Content-Length: 463

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Cache-Control: public, max-age=345600

Age: 197481
0..........0..... .....0......0...0......J......h.v....b..Z./..2017041
8010024Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.^cH..^......20170418010024Z....20170425010024Z0...*.H.............G..
\/..r.j....JiB....a.....xaY........._.>.k.o...0(}.b.C._...'h.,9.>
;.M. .I9...1.c.L..4..[..us3.d..V.<U.G.cy.(..Jr...U-......Wv.Uq.....
^p.4..........e....y.l...5.&.E..Zi.=...j,K......._.......E..q.6.....c.
.D...)n(.f.Qc........2.}XA>}.j....uDz..G..[...q ...}HTTP/1.1 200 OK
..Content-Type: application/ocsp-response..Date: Tue, 18 Apr 2017 15:0
7:25 GMT..Expires: Sat, 22 Apr 2017 15:07:25 GMT..Server: ocsp_respond
er..Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Opti
ons: SAMEORIGIN..Cache-Control: public, max-age=345600..Age: 197481..0
..........0..... .....0......0...0......J......h.v....b..Z./..20170418
010024Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..
^cH..^......20170418010024Z....20170425010024Z0...*.H.............G..\
/..r.j....JiB....a.....xaY........._.>.k.o...0(}.b.C._...'h.,9.>
.M. .I9...1.c.L..4..[..us3.d..V.<U.G.cy.(..Jr...U-......Wv.Uq.....^
p.4..........e....y.l...5.&.E..Zi.=...j,K......._.......E..q.6.....c..
D...)n(.f.Qc........2.}XA>}.j....uDz..G..[...q ...}..
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: s2.symcb.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1763

content-transfer-encoding: binary

Cache-Control: max-age=428731, public, no-transform, must-revalidate

Last-Modified: Tue, 18 Apr 2017 21:01:44 GMT

Expires: Tue, 25 Apr 2017 21:01:44 GMT

Date: Thu, 20 Apr 2017 21:58:35 GMT

Connection: keep-alive
0..........0..... .....0......0...0.......WI.....L.c=...r..7Z..2017041
8210144Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..Q?.t8p.4@A.0........20170418210144Z....20170425210144Z0...*.H.....
..........}..K2M(./O*.m.......7~....f...feR.....B<.bmM....v.h...dC.
.. .,d yG.......V....::EL.8.=..h......`AK...f....$.Ogs" .,..8.....b...
......9...n.v.R. Y....>.....J.l/.PR./q.<....Y...Z....t..8..."e..
b]..qEn.v...[.vK.i..m.v.;.K....T.....j.......1jL....O.PS~- G/.{....0..
.0...0..........^..)......<...T.0...*.H........0..1.0...U....US1.0.
..U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2
006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Cla
ss 3 Public Primary Certification Authority - G50...161122000000Z..171
214235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Sy
mantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responde
r Certificate 50.."0...*.H.............0.............................m
..|........1rUZN.b.......t. d......O...NY.lR..k .Q.z.g.4(,...Rp.7...0C
.j.)Z........ ~..3...x.b.-..... S^0<6...!.(..2}...T.fX}...6...(...1
...#..H..|`.yy.<B.z.q$......u.-..K.!......y..8..--....?.,.[.[...5.e
.4.....D..t.;....).J....\fV..G.........0...0...U.......0.0l..U. .e0c0a
..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0..
.hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U...........0... .
....0......0"..U....0...0.1.0...U....TGV-OFF-500...U.......WI.....L.c=
...r..7Z0...U.#..0.....e......0..C9...3130...*.H.............<w
<<< skipped >>>

GET /roots/dstrootcax3.p7c HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: apps.identrust.com

HTTP/1.1 200 OK

Date: Thu, 20 Apr 2017 17:19:51 GMT

Server: Apache

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

Last-Modified: Fri, 19 Oct 2012 20:08:11 GMT

Accept-Ranges: bytes

Content-Length: 893

Cache-control: max-age=86400

Keep-Alive: timeout=5, max=100

Content-Type: application/x-pkcs7-mime
0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D.....'..0
9...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U..
..DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital S
ignature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..
..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.
2....w..{........s.z..2..~..0....*8.y.1.P..e..Qc....a.Ka..Rk...K.(.H..
....>.... .[.*....p....%.tr.{j.4.0...h.{T.....Z...=d......Ap..r.&.8
U9C....\@..........%.......:..n.>..\..<..i....*.)W..=....]......
B0@0...U.......0....0...U...........0...U..........{,q...K.u...`...0..
.*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~
.....K. D.....}..j.....N...:.pI............:^H...X._..Z.......Y..n....
...f3.Y[....sG. ...7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G
..P.......dc`........}...=2.e..|.Wv...(9..e...w.j..w........).....55.1
.HTTP/1.1 200 OK..Date: Thu, 20 Apr 2017 17:19:51 GMT..Server: Apache.
.X-Frame-Options: SAMEORIGIN..X-XSS-Protection: 1; mode=block..Last-Mo
dified: Fri, 19 Oct 2012 20:08:11 GMT..Accept-Ranges: bytes..Content-L
ength: 893..Cache-control: max-age=86400..Keep-Alive: timeout=5, max=1
00..Content-Type: application/x-pkcs7-mime..0..y..*.H.........j0..f...
1.0...*.H.........N0..J0..2.......D.....'..09...@k0...*.H........0?1$0
"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930
211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U.
...DST Root CA X30.."0...*.H.............0............P..W..be....
<<< skipped >>>

GET /roots/dstrootcax3.p7c HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: apps.identrust.com

HTTP/1.1 200 OK

Date: Thu, 20 Apr 2017 17:19:51 GMT

Server: Apache

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

Last-Modified: Fri, 19 Oct 2012 20:08:11 GMT

Accept-Ranges: bytes

Content-Length: 893

Cache-control: max-age=86400

Keep-Alive: timeout=5, max=100

Content-Type: application/x-pkcs7-mime
0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D.....'..0
9...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U..
..DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital S
ignature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..
..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.
2....w..{........s.z..2..~..0....*8.y.1.P..e..Qc....a.Ka..Rk...K.(.H..
....>.... .[.*....p....%.tr.{j.4.0...h.{T.....Z...=d......Ap..r.&.8
U9C....\@..........%.......:..n.>..\..<..i....*.)W..=....]......
B0@0...U.......0....0...U...........0...U..........{,q...K.u...`...0..
.*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~
.....K. D.....}..j.....N...:.pI............:^H...X._..Z.......Y..n....
...f3.Y[....sG. ...7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G
..P.......dc`........}...=2.e..|.Wv...(9..e...w.j..w........).....55.1
.HTTP/1.1 200 OK..Date: Thu, 20 Apr 2017 17:19:51 GMT..Server: Apache.
.X-Frame-Options: SAMEORIGIN..X-XSS-Protection: 1; mode=block..Last-Mo
dified: Fri, 19 Oct 2012 20:08:11 GMT..Accept-Ranges: bytes..Content-L
ength: 893..Cache-control: max-age=86400..Keep-Alive: timeout=5, max=1
00..Content-Type: application/x-pkcs7-mime..0..y..*.H.........j0..f...
1.0...*.H.........N0..J0..2.......D.....'..09...@k0...*.H........0?1$0
"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930
211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U.
...DST Root CA X30.."0...*.H.............0............P..W..be....
<<< skipped >>>

GET / HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ih8sn0w.com

Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently

Server: nginx

Date: Thu, 20 Apr 2017 21:58:03 GMT

Content-Type: text/html

Content-Length: 178

Connection: keep-alive

Location: hXXps://ih8sn0w.com/
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx</center>..</body>..</html>..HTTP/1.1 301
 Moved Permanently..Server: nginx..Date: Thu, 20 Apr 2017 21:58:03 GMT
..Content-Type: text/html..Content-Length: 178..Connection: keep-alive
..Location: hXXps://ih8sn0w.com/..<html>..<head><title&
gt;301 Moved Permanently</title></head>..<body bgcolor=
"white">..<center><h1>301 Moved Permanently</h1>&
lt;/center>..<hr><center>nginx</center>..</bod
y>..</html>....

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEEBxiaopEohrDGoDiNJShXU= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ss.symcd.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1609

content-transfer-encoding: binary

Cache-Control: max-age=364622, public, no-transform, must-revalidate

Last-Modified: Tue, 18 Apr 2017 03:11:31 GMT

Expires: Tue, 25 Apr 2017 03:11:31 GMT

Date: Thu, 20 Apr 2017 21:58:41 GMT

Connection: keep-alive
0..E......>0..:.. .....0..... 0..'0......E ....e.u.....x..7....2017
0418031131Z0s0q0I0... ..........d.....k... P.....d.._`.a.U..C..`*..z.C
....@q..)..k.j...R.u....20170418031131Z....20170425031131Z0...*.H.....
........z..(N`.v.............5.RT.c}..<B..s@.0...3L...C.....3@..7Xr
...KH.S.....y.....]=g...$mt..........^..-.u.5..q C.m...@STO.7..]......
......&.QC..b.F.{BS...y..R......3*...BR...e.5...C..*._......{.R,.B...3
......... O.w......ml..).....$.&.f..d.._nP9..&.~JI0.........n0..j0..f0
..N.......Dh.ciH.........!0...*.H........0~1.0...U....US1.0...U....Sym
antec Corporation1.0...U....Symantec Trust Network1/0-..U...&Symantec 
Class 3 Secure Server CA - G40...170204000000Z..170505235959Z0@1>0&
lt;..U...5Symantec Class 3 Secure Server CA - G4 OCSP Responder0.."0..
.*.H.............0......... B.}.@...E2.......&kg.#.c..7f#0....!....Z.G
..|.o..W{2.m.l.cM...%......V.Wx6I.t....Q,U^......;.U<ie...X.{.6. .4
...ep....q..OuV...F...s.f....!....K....O....Oj.?Yd6^Mlw.6.k..*./......
.b..Q4...H.s.........(...toW...9...............&...D...{T{........4.;/
pa<...........0...0... .....0......0"..U....0...0.1.0...U....TGV-D-
38570...U.#..0..._`.a.U..C..`*..z.C..0...U......E ....e.u.....x..7..0.
..U.......0.0n..U. .g0e0c..`.H...E....0T0&.. .........hXXp://VVV.symau
th.com/cps0*.. .......0...  hXXp://VVV.symauth.com/rpa0...U.%..0... ..
.....0...U...........0...*.H.............x..b5XG.........T^2.....T....
..........zq.............f....#|.....P...R.....]...la.(.21{...C.....K.
....R..H.b....3L..52}5.8.......%.......l=..$X$_..01.3.....<._,.
<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1

Cache-Control: max-age = 86410

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Fri, 16 Sep 2016 21:16:59 GMT

If-None-Match: "8017f9a85f10d21:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: VVV.download.windowsupdate.com

HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/vnd.ms-cab-compressed

Last-Modified: Tue, 28 Feb 2017 17:51:01 GMT

Accept-Ranges: bytes

ETag: "80b03039eb91d21:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

Content-Length: 52122

Date: Thu, 20 Apr 2017 21:58:23 GMT

Connection: keep-alive

X-CCC: UA

X-CID: 2
MSCF............,...................I.................\JTN .authroot.s
tl.W.H..7..CK...<........i.g.B.A.E#D..Z.d..d..AH))..B%......,QH.Y.$
JE...Lu3...{....g.8....>.s 1..... ....Y0tT'..m...*....0..H.RS..@`..
^Z.iZ...Vf..'.o'n. ..._...........ow..b.)#..*8eE.De..~....a..uMo.8@.Q.
.]2\..v.R..#|D...P&..;.:...QS!B.._....G*.F......?..!sf........cY......
i..KgVv1..Z..E.yO9.D`....M...gi.F...LZ.<../...1un...,>..<..L.
M.F...r.. ?(...BA..d.V~.........l$=....`_... w.T.....!..H..X..{3..T..6
.rq...B._......._.....C..}.......;.8V..a...;44t..hTF.m....'....[.J..F.
.!.|o.6P...X.N..w$.G..l...........)..n..|4.<(......w6.G..P)...$....
x.A...9X.......`..v|..Dt.D(.q....gY.)............Jxp......_.5d..y..M..
..x...m.E.....?.&..NI.....h.?......{.\rN7......d..P..~.T...O#.ud. ....
.w.....&0..uP.hk..]..29..6..h..x.c.h.h4.....=..V..Z....5..N.:.7..N.yZ.
.].....f...V.R.o.u3..SF.O..$..T....qj .d.[....E. y..p.E...c.d..5.>.
.FL....ZU.e......O.........=...#7z....]..YX...G....4.....-..\.K.,.....
uh....IO..sz.....a....y2g..E.Y.:#.7...4a.....A. 2....hDL.......Y>;.
gW......E.E.}R'.{......=..C...p.y8....c.......du9.y..v..<..../1....
~...DV.I..s"..d..ZQ..i.....fq..I3...{7#.m.Y)...Ey..8...@...v...o . .{.
.|....x.N.."G"..v... r.......................=...?1r..)`&.f....!...$.8
..-.~5.....5a^.n.n.H?~j./t.E......N..D.#|.4n.f...@..y-.CM....c .......
..Q..#..T.v.....f.....[.p`....P3._...d..n.X.....8D.B$..`E\ .5....I.H..
@../1:...c..O......~...............d....>.%.....nU...Az.(..g....-.c
.V.w.......W$...)...cB.y....Kd.....-.X;e`0....T.U~.r.....\:..8....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf/EFWCFiRACEAoBQUIAAAFThXNqC4Xspwg= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: isrg.trustid.ocsp.identrust.com

HTTP/1.1 200 OK

Date: Thu, 20 Apr 2017 21:51:48 GMT

Content-transfer-encoding: Binary

last-modified: Thu, 20 Apr 2017 10:28:53 GMT

ETag: "d0216e5074d1f9b6d40488504abb7a768b8e151c"

expires: Fri, 21 Apr 2017 10:28:53 GMT

cache-control: max-age=43200,public,no-transform,must-revalidate

Content-Type: application/ocsp-response

Content-Length: 1399
0..s......l0..h.. .....0.....Y0..U0........ ..zJ.!.I...u(......2017042
0102853Z0s0q0I0... ........o.hMC..Hb... =G,../.......{,q...K.u...`....
...AB...S.sj.........20170420102853Z....20170421102853Z0...*.H........
.....:..f....h.. .?......p.'..1T.....:......['...q.......@&.j..h.....-
%.KG..F.Q..).g...xR.].G..F.i.....j.D..P.....C.\..p.....#...u$.(...)m%6
.-6.t....Si......_......o.S.}...6(.ii2.v.3`.....7..z....G.H.j...`.....
:G...$..1..22.8...e/X.K.9>...i=..g.i...|-{@...t...F....0...0...0..|
............p.GT5.P.~d:@0...*.H........0?1$0"..U....Digital Signature 
Trust Co.1.0...U....DST Root CA X30...160511163807Z..170511163807Z0..1
.0...U....US1 0...U....Digital Signature Trust1.0...U....DST1.0...U...
.DST CA X3 OCSP Signer1$0"..*.H........pki-ops@IdenTrust.com0.."0...*.
H.............0.........C#......}.>.....r....P..%b.b....mh...O....c
.?..1_...O....9.K.6I.#O..6\..`..`~.5..&.!y....;..Y.Fcob.}....nz..V....
...F...{.2.4....AIt........s..lgQ..v...P7....)dk..`...../{..^N...%-../
-.z.|w.9..TFw.(...g....K=6..xr.B9..d{..Lf......T....t.........1ne.7.t.
........F0D0...U.......0.0...U.%..0... .......0...U...........0... ...
..0......0...*.H.............9...e......I..........=|..op.#..u.2.....~
<....QGe.. 1w..>.d8~.?.Q..ZV...g.@...6>L.7{t.[.....6P...3..ci
.d.._...a....3...#.M.E..N0..:4U-H}.p_d..<..f........:J....t.......{
.........jt.I>"....S..... ...C6...E.@y.p........a..0E......T..3cR[.
..8..{.fH.)8.m;.......
<<< skipped >>>

The Backdoor connects to the servers at the folowing location(s):

.text

`.data

.rsrc

@.reloc

GDI32.dll

USER32.dll

msvcrt.dll

ntdll.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

KERNEL32.dll

IMM32.dll

ole32.dll

OLEAUT32.dll

PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected

Invalid message 0x%x

InitExtendedEditKeys: Unsupported version number(%d)

Console init failed with status 0x%x

CreateWindowsWindow failed with status 0x%x, gle = 0x%x

InitWindowsStuff failed with status 0x%x (gle = 0x%x)

InitSideBySide failed create an activation context. Error: %d

GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.

GetModuleFileNameW failed %d.

Invalid EventType: 0x%x

Dup handle failed for %d of %d (Status = 0x%x)

Couldn't grow input buffer, Status == 0x%x

InitializeScrollBuffer failed, Status = 0x%x

CreateWindow failed with gle = 0x%x

Opening Font file failed with error 0x%x

\ega.cpi

NtReplyWaitReceivePort failed with Status 0x%x

ConsoleOpenWaitEvent failed with Status 0x%x

NtCreatePort failed with Status 0x%x

GetCharWidth32 failed with error 0x%x

GetTextMetricsW failed with error 0x%x

GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x

RtlStringCchCopy failed with Status 0x%x

Cannot allocate 0n%d bytes

|%SWj

O.fBf;

ReCreateDbcsScreenBuffer failed. Restoring to CP=%d

Invalid Parameter: 0x%x, 0x%x, 0x%x

ConsoleKeyInfo buffer is full

Invalid screen buffer size (0x%x, 0x%x)

SetROMFontCodePage: failed to memory allocation %d bytes

FONT.NT

Failed to set font image. wc=x, sz=(%x,%x)

Failed to set font image. wc=x sz=(%x, %x).

Failed to set font image. wc=x sz=(%x,%x)

FullscreenControlSetColors failed - Status = 0x%x

FullscreenControlSetPalette failed - Status = 0x%x

WriteCharsFromInput failed 0x%x

WriteCharsFromInput failed %x

RtlStringCchCopyW failed with Status 0x%x

CreateFontCache failed with Status 0x%x

FTPh

\>.Sj

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

GetKeyboardState

UnhookWindowsHookEx

SetWindowsHookExW

GetKeyState

ActivateKeyboardLayout

GetKeyboardLayoutNameA

GetKeyboardLayoutNameW

_amsg_exit

_acmdln

ShipAssert

NtReplyWaitReceivePort

NtCreatePort

NtEnumerateValueKey

NtQueryValueKey

NtOpenKey

NtAcceptConnectPort

NtReplyPort

SetProcessShutdownParameters

GetCPInfo

conhost.pdb

%$%a%b%V%U%c%Q%W%]%\%[%

%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%

version="5.1.0.0"

name="Microsoft.Windows.ConsoleHost"

<requestedExecutionLevel

name="Microsoft.Windows.ConsoleHost.SystemDefault"

publicKeyToken="6595b64144ccf1df"

name="Microsoft.Windows.SystemCompatible"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

< =$>:>@>

2%2X2

%SystemRoot%

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen

WindowSize

ColorTableu

ExtendedEditkeyCustom

ExtendedEditKey

Software\Microsoft\Windows\CurrentVersion

\ !:=/.<>;|&

%d/%d

cmd.exe

desktop.ini

\console.dll

%d/%d

6.1.7601.17641 (win7sp1_gdr.110623-1503)

CONHOST.EXE

Windows

Operating System

6.1.7601.17641

mpsetup.exe_3932:

.text

`.rdata

@.data

.rsrc

@.reloc

WSSh8"8

FVSSh

kernel32.dll

SETUPAPI.dll

ole32.dll

ShellExecuteExW

ShellExecuteW

SHELL32.dll

USER32.dll

KERNEL32.dll

`, -,,, ,,,18

<requestedExecutionLevel level="highestAvailable" uiAccess="false"/>

<!-- Windows 10 -->

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

<!-- Windows 8.1 -->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<!--The ID below indicates app support for Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!--The ID below indicates app support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!--The ID below indicates app support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

resource.dat

.ED:t

MixPad.exe

g*.MD8

.qWu0

)%~x%X2

]tdtC.GN

@%x?@

o.EIC

1-/%s

.cfH3

.jkVF

t)V%1s

A.hKV

.qP$4

|)%sWh.

.ln-~)

.JgTP

.bUO1

\WJcC.FC5

nL.RKv

CMdE#0

JlK|%x

o%dSW_2

H6.zD

m.vDG

 n%j%f

.pMf]Q

y%X#ELO

ev3Rk~%U

6=.NE

*%C_/

(.Xqh%ZxuL

n%S::

.Lz S

ØKO

\Ró

OGU%c

9:K%S

%SWPm

UÏb

rx1}%6SO

LZ.Bt

.uJ3q

%d%4m

st|c.uA

W;ú]

dN[.NLm

oA`%U&

m.TX6sX

i.YyqU

.gRBj

LS.DT

.UwU8

J44S[H.Im

*,U%x

i.Pz8~

.tN}A

|X]2(0%U

Bq%U7>4

VS.GXKh9*.v

DD%sB9q

nil%Sh

@%5%X

Kw.RZ

%Fs>b

cGT.AB6yYda

F.QQ^ <

JH&ýiZavY

}%Xs&

V%fv M

I5o%X

%S!EX

#v%Xl

x.

ÞCi

RE.zB

.zhT~

$T.xy

H\.gHD

`W~.id

=a"-q}

m[%s{

LIJ.UR

s n.xZ

,.xmf

O2.mC

-2}3D

^'u6%S

94%C]

/.Qa>[r

>dv9.SB

hXXp://%s/components/%s

S.jTn

Y%smm#

o%Cl2

ji.Hu

IFJ%FZ.*

f,B%d

&.yTR

.we0`.

.BjQJ

X-Ls.Bp

>X Ê

jL"|e.Bs|

.MGi 

i.fcum

*0%Su

Ub%dr

=;X.EQ

%F/qt

gz.mx`

}%C$o

]S`%u

VS6B%X

.duv/

Windows 98/ME Support

This version of the application requires Windows XP/2003 or later.

Do you want to go the website and download the Windows 98/ME version if one is available?

hXXp://VVV.nch.com.au/software/win98/index.html

Windows 2000 Support

Do you want to go the website and download the Windows 2000 version if one is available?

hXXp://VVV.nch.com.au/software/win2000/index.html

nchsetup.cab

nchsetup.exe

nchdata.cab

nchdata.dat

-installer "%s" -instdata "%s" -instby %s

-installer "%s" -instdata "%s"

%d.%d.%d.%d

Software\NCH Software\Components\%s

VVV.nch.com.au/mixpad

nchsetup.exe_3052:

.text

`.rdata

@.data

.rsrc

@.reloc

@%x!-

F%x!-

SRSSSSSSSh

T$D8P%u

tJSShh

Mùy

SSSh;

^.WSV

RPSSh

t 8^%u

SQSSSSSSSh

F.hlK.

9HLt%S

PSSSSh

QSSSSh

E%x!-

PSSSSSSSh

PSSSSSSh

SSShxF.

G<PRSSSSh

SRjePSSSSh

SRVPSSSSh

F<PRSSSSh

SRj{PSSSSh

SRj|PSSSSh

t$PRjePSSSSh

SSSSh

SQjfRSSSSh

SQVRSSSSh

SRjhPSSSSh

SPSSSSSSSh

RSSSSh

D$(=.sndt

G%fnid

^ SSSh

N%UUhG

|$09|$$}*

.tOj%

mscoree.dll

.mixcrt

KERNEL32.DLL

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

gdiplus.dll

UxTheme.dll

dwmapi.dll

hXXp://%s/components/%s

LastFailKey=%s_%s

LastFailKey=%s

software=MixPad&version=4.27&report=UINSTALL&text=%s-%s&language=en&platform=Win%s&extra1=%d&trylmt=%s%s

kernel32.dll

user32.dll

uu%c%c%c

hXXp://VVV.audiochannel.net/versions/components/%s.txt

hXXp://cgi.nch.com.au/cgi-bin/regcheck.exe?cmd=v&id=%d&magic=%d&magicb=%d

hXXp://VVV.audiochannel.net/versions/mixpad.txt

comctl32.dll

TaskDialogIndirect

software=MixPad&version=4.27&report=COMMENT&text=COMMENT-%s&language=en&platform=Win%s%s

http=

%s/%s

POST %s HTTP/1.0

Host: %s

Content-Type: application/x-www-form-urlencoded

Content-Length: %d

application/x-www-form-urlencoded

HTTP/1.

c:\sourcecode\mixpad\../llib/net/ssl.cpp

hXXps://api.dropbox.com/1/oauth/request_token

api.dropbox.com

hXXps://api.dropbox.com/1/oauth/access_token

hXXps://api-content.dropbox.com/1/files_put/%s/%s

hXXps://api-content.dropbox.com/1/files_put/%s/%s?overwrite=false&parent_rev=%s&autorename=false

hXXps://api-content.dropbox.com/1/files/%s/%s

?rev=%s

hXXps://api.dropbox.com/1/fileops/delete

root=%s&path=%s

hXXps://api.dropbox.com/1/metadata/%s/%s

hXXps://api.dropbox.com/1/account/info

code=%s&client_id=301431521283-v33b6ahndtiem04eeqm7kampikh98sf0.apps.googleusercontent.com&client_secret=f8lE35d3AKTFi8C0cUTZiOYF&redirect_uri=urn:ietf:wg:oauth:2.0:oob&grant_type=authorization_code

hXXps://accounts.google.com/o/oauth2/token

refresh_token=%s&client_id=301431521283-v33b6ahndtiem04eeqm7kampikh98sf0.apps.googleusercontent.com&client_secret=f8lE35d3AKTFi8C0cUTZiOYF&grant_type=refresh_token

Content-Type: %s

POST /upload/drive/v2/files?uploadType=multipart HTTP/1.1

Host: VVV.googleapis.com

Authorization: Bearer %s

hXXps://VVV.googleapis.com:443/drive/v2/files/%s

revisionID=%s&alt=media

hXXps://VVV.googleapis.com:443/drive/v2/files/%s/trash

q=%s&fields=items(mimeType,title,fileSize)

hXXps://VVV.googleapis.com:443/drive/v2/files

q=%s&fields=items(id,title,parents)

q=%s&fields=items(id,headRevisionId)

oauth_consumer_key=%s&oauth_nonce=%s&oauth_signature_method=HMAC-SHA1&oauth_timestamp=%s&oauth_token=%s&oauth_version=1.0

%s%=%s

%&%s

%s://%s

%s&%s

Authorization: OAuth realm="%s",oauth_version="1.0",oauth_consumer_key="%s",oauth_token="%s",oauth_timestamp="%s",oauth_nonce="%s",oauth_signature_method="%s",oauth_signature="%s"

HTTPS

GET %s%s%s HTTP/1.0

Content-Disposition: form-data; name="%s"; filename="dummy.dum"

Content-Disposition: form-data; name="%s"; filename="%s"

Content-Disposition: form-data; name="%s"

nchuploadformdataviahttp

POST /%s HTTP/1.1

%s%sAccept: */*

Content-Type: multipart/form-data; boundary=%s

%s %s HTTP/1.0

%s%s%sContent-Length: %d

hXXps://api.soundcloud.com/tracks.json

api.soundcloud.com

hXXps://api.soundcloud.com/tracks/%u.json?oauth_token=%s

download_url

%s?oauth_token=%s

hXXps://api.soundcloud.com/me/tracks.json?oauth_token=%s

hXXps://api.soundcloud.com/me.json?oauth_token=

%s=%s

freedb.musicbrainz.org

freedb.freedb.org

cddb query %s %d

GET /~cddb/cddb.cgi?cmd=cddb query %s %d

&hello=anonymous localhost MixPad 4.27&proto=6 HTTP/1.0

cddb read %s %s

GET /~cddb/cddb.cgi?cmd=cddb read %s %s

Mfplat.dll

GET %s HTTP/1.0

CONNECT %s:%d HTTP/1.0

%d %d

webm

?#%X.y

c:\sourcecode\mixpad\release\MixPad.pdb

GdipSetPenLineJoin

GdiplusShutdown

GetProcessHeap

PeekNamedPipe

CreatePipe

KERNEL32.dll

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegOpenKeyW

RegEnumKeyW

RegQueryInfoKeyW

CryptDeriveKey

CryptDestroyKey

RegEnumKeyExW

RegDeleteKeyW

CryptDuplicateKey

ADVAPI32.dll

COMCTL32.dll

comdlg32.dll

SetViewportExtEx

SetViewportOrgEx

GetViewportExtEx

GDI32.dll

acmDriverOpen

acmDriverEnum

acmDriverClose

acmDriverDetailsW

MSACM32.dll

ole32.dll

OLEAUT32.dll

ShellExecuteW

ShellExecuteExW

SHELL32.dll

SHDeleteEmptyKeyW

SHDeleteKeyW

SHLWAPI.dll

GetAsyncKeyState

CreateDialogIndirectParamW

GetKeyState

UnhookWindowsHookEx

GetKeyNameTextW

keybd_event

MsgWaitForMultipleObjects

SetWindowsHookExW

MapVirtualKeyW

EnumThreadWindows

GetKeyboardState

USER32.dll

midiOutShortMsg

WINMM.dll

WS2_32.dll

NETAPI32.dll

MSIMG32.dll

iphlpapi.dll

WININET.dll

GetCPInfo

GetConsoleOutputCP

zcÁ

ZP@%C

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.exe

22222212

~}||||}~

970000000000

94000000000

93000000000

1526%`41

6."6))6".6

.1/1""1-0.

1111111111111

222222222222222

#0110000

"00 $1100

"00 $110

"000110000

"0011000

,7"5!02$

.42222.2222.22.2

22- -.-2222.2222

2.2222.22

.2.--.22.22222.2

.22.2.224.2

- '#%'%'"

%!#%###%##%

-.22.22.4

222..22-4

2' -..2.2

'##%'(''%

'(2.2.2

&'''&'''

&'''&'''&'

&'''&'''&'''$$$

&'''&'''&'''&

%CJJI,

???7.fn

.vu~~

.Chuzvvw

'%%''%%%%''%%'

'%%'$$%%$$'%%'

'%%%%$$$$%%%%'

$0000<222<<<9$

'.ONKD@;

C3.PC3.

2222222222222

222222222222

2222222222

22222222

22222222

!$$%%$%%$

!##$$$%%%$$$

####$$$$#

22222225255511111111

222222525255511111

2222222525255511

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"/>

<requestedExecutionLevel level="asInvoker" />

<!-- Windows 10 -->

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

<!-- Windows 8.1 -->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<!--The ID below indicates app support for Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!--The ID below indicates app support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!--The ID below indicates app support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">

</asmv3:windowsSettings>

mhXXp://ns.adobe.com/xap/1.0/

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:3277C77D7132E0118D16E72A4E8059DE" xmpMM:DocumentID="xmp.did:314D5A19534B11E0A6A5AAFBD55133F0" xmpMM:InstanceID="xmp.iid:314D5A18534B11E0A6A5AAFBD55133F0" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:B6AAD5DF4A53E0118E8DE62C10C1BCAC" stRef:documentID="xmp.did:3277C77D7132E0118D16E72A4E8059DE"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

f.qLf1

; ;$;(;,;0;4;8;<;

> >$>(>,>0>4>8><>

11K1k1s1

>!>'>:>`>

1)2.2`2{2

2 2$2(2,202

9(9-979?9

: :$:(:,:0:4:8:<:

3O4L4

6-7K7X7v8}8

?!?0?7?>?\?

=(>0>7>>>

3-3K3v3}3

6 6`6C6I6V6g6

6 6$6(6,60646

:,:7:=:~:

5#5(5-545

;$;*;4;<;];

1-2_2m2

<4=8=<=@=[=

5 5$5(5,50545[5

=.=3=@=_=}=

9&9-949;9

3'3-3P3W3k3q3}3

9 9$9(929@9|9

2%3S3

*01080?0

4#5)5/555

1&1/151:1

1!1*121!2 282

0	0D0

View previous editor operations

Export MIDI to audio

Track Key

Export to a file

Set up key bind to this track

Export current project to video file

Export current project to audio file

Export to Audio

Export Clip

Export sound to a video file

Video Export

Export & Burn

Add Highpass Effect

Apply and discard any trimming operations on the selected clip

Edit the meta-data which will be used to tag your exported audio files.

Join Clips Into One Clip

Join

Export Mix

Join Clips

Export Project to Video as Audio Track...

Export Project as Audio File and Burn to CD...

Export Project as Audio File (mp3, wav, etc.)...

.mpeg

.dart

.mpga

%s%s%s

Software\Classes\%s

MixPad-%d-%d

mixpad.exe

%s\%s

.divx

.xvid

.webm

control.exe mmsys.cpl,,0

sndvol32.exe

%sChannel

control.exe mmsys.cpl,,1

sndvol32.exe /rec

[MME] %s

[DirectSound] %s

[ASIO] %s

accent.wav

beat.wav

empty.mid

ExportFilePath

Export

TrackInputChannels%d

WindowStateMixer

WindowStateBookmarkManager

%s %s

Software\NCH Software\%s\Settings

Software\NCH Swift Sound\%s\Settings

"%s" %%s

hXXp://VVV.nch.com.au/components/%s.exe

Waiting for %s

MixPad will continue when %s closes.

-show -type data -burn -exit "%s"

shell32.dll

VVV.nch.com.au/mixpad/index.html

VVV.nch.com.au/mixpad/support.html

hXXp://nch.invisionzone.com/index.php?/forum/69-mixpad/

hXXp://VVV.nch.com.au/suggestions/index.html?software=MixPad&version=4.27

hXXp://VVV.nch.com.au/software/bug.html?software=MixPad&version=4.27&data=%s

High Pass

Low Pass

Searching and caching VSTs...Searching

VSTName %d

VSTPath %d

0:00:00.000

"%s" "%s"

Lowpass

"%s" -w "%s"

"%s" "%s" "%s"

Cannot open the file "%s" because it is corrupt.

Cannot open the file "%s". Check it exists and you have read access.

Cannot open the file "%s". It is possible the file format is not supported by MixPad. Please see "hXXp://VVV.nch.com.au/acm/formats.html" for more information.

Cannot open the file "%s" because the required codec ("%s") is not installed. See "hXXp://nch.com.au/acm/index.html" for more information.

Cannot open the file "%s" because it is using an unknown codec or is possibly not a real wave file.

Cannot open the file "%s". It is possibly either corrupt or not a true layer-3 MPEG file.

Visit "hXXp://VVV.microsoft.com/directx" to obtain the latest version.

Cannot open the file "%s" because it is encrypted.

Download Express Scribe from VVV.nch.com.au/scribe to open encrypted files.

.flac

The decoder process failed when decompressing the file "%s" to wave format. It is possible your logon account does not have write access to the folder "%s"

Cannot open file "%s". It is possible that the file is protected with Digital Rights Management (DRM) which limits where the audio file can be used.

Cannot open the file "%s". It is possible you do not have the Sony plugin installed or your recorder is not supported. If you do not have the plugin please download it from "hXXp://VVV.nch.com.au/scribe/sony.html".

Loading %s

%s %d

.mpdp-recover

%s.mpdp

%s.ProjectData

Recover.mpdp-recover

Applying settings to track %d of %d

TrackOutputLeft%d

TrackOutputRight%d

Audio Playback Device: %s

TrackInputDeviceName%d

TrackInputLeft%d

TrackInputRight%d

TrackMidiOutputDevice%d

TrackRecordMidi%d

TrackMidiInputDevice%d

VSTi Plugin Support

File does not exist: %s

Not enough memory available to load %s

Cannot open xml file: %s

e%2x%2x%*s

ex\dx

- %s%s

%s by NCH Software%s%s

- Licensed to %s

Export Clip as (mp3, wav, etc.)...

Current Length: %s

Current End Time: %s

exporting

export

.aifc

.opus

.aiff

ExportTags

The file path you are exporting to already exists. Would you like to overwrite the existing file?

Wave (*.wav)

*.wav

MPEG Layer-3 (*.mp3)

*.mp3

Windows Media Audio (*.wma)

*.wma

Ogg Vorbis (*.ogg)

*.ogg

Opus (*.opus)

*.opus

Apple AIFF(*.aif, *.aiff, *.aifc)

*.aif;*.aiff;*.aifc

Sun AU (*.au)

FLAC (*.flac)

*.flac

AAC (*.aac)

*.aac

GSM (*.gsm)

*.gsm

Dialogic Vox (*.vox)

*.vox

Raw Audio (*.raw)

*.raw

RSS Podcast Audio (*.rss)

*.rss

AMR Narrowband Audio (*.amr)

*.amr

Musepack Audio (*.mpc)

*.mpc

Monkey's Audio Codec (*.ape)

*.ape

Speex (*.spx)

*.spx

tmp.mpdp

Cannot open the file "%s" for writing.

Unable to move the temporary project file at '%s' to '%s'. You may not have permission to write '%s'?

MixPad could not export the project to the target file - %s - Check to see if the file is in use by another application and try again.

Exporting Clip...

.float

*.aud

*.float

Cannot open the file "%s" for reading.

The file %s is not a correct MixPad project file. Cannot open.

Converting project failed. Cannot load project.%s

ColorChannel %d

.dvr-ms

%s\NCH Software\Stock\Audio

MixPad Multitrack Recording Software - %s

%s\Mixpad Projects\VST

.mpdp

MixPad can't open the project data folder (%s). Has this folder been deleted or moved?

MixPad can't find the following VST: %s - Would you like to locate this VST now?

Track %d is set to monitor MIDI recordings via VSTi, but your ASIO hardware buffers are too small for this task. Please decrease the size of the buffers to below 25ms or remove the monitoring option from this track.

Track %d is set to monitor input recordings, but your ASIO hardware buffers are too small for this task. Please decrease the size of the buffers to below 25ms or remove the monitoring option from this track.

This MIDI file contains %d tracks. Would you like to import each track as a separate clip or merge them into one clip?

Import MIDI options

Mixpad does not support this file: %s.

Unsupported File Type

Loading file %s failed, please check your file is valid.

*.grf

The project file " %s " does not exist, please load another project.

Exporting Project

You are creating a surround sound project. Do you wish to export the project as a surround sound wav file?

Wav File (*.wav)

Exporting audio

Could not find a component to export project to a file.

MIXPADExporttimed15off

MIXPADExporttimed15on

LastExport

-type data -file "%s"

-type audio -file "%s"

MixPad Project (*.mpdp)

*.mpdp

*.wav;*.mp3;*.oga;*.ogg;*.wma;*.aif;*.aiff;*.aifc;*.au;*.ra;*.ram;*.rm;*.rmj;*.flac;*.aac;*.gsm;*.3ga;*.vox;*.raw;*.dct;*.dvs;*.m4a;*.mp4;*.m4b;*.m4r;*.mp2;*.mpc;*.mpga;*.msv;*.dvf;*.rec;*.shn;*.amr;*.ape;*.spx;*.cda;*.wv;*.mid;*.voc;*.moh

CD Audio Tracks (*.cda)

*.cda

*.avi;*.mpg;*.mpeg;*.mp4;*.wmv;*.asf;*.mov;*.3gp;*.mod;*.flv;*.mkv;*.swf;*.dv

Wave Files (*.wav)

MPEG Layer-3 Files (*.mp3, *.mp2, *.mpga)

*.mp3;*.mp2;*.mpga

Ogg Vorbis Files (*.oga, *.ogg)

*.oga;*.ogg

Windows Media Audio Files (*.wma)

Apple AIFF Files (*.aif, *.aiff, *.aifc)

Sun AU Files (*.au)

Real Audio Files (*.ra, *.ram, *.rm, *.rmj)

*.ra;*.ram;*.rm;*.rmj

FLAC Files (*.flac)

AAC Files (*.aac, *.m4a)

*.aac;*.m4a

ALAC Files (*.caf)

*.caf

GSM Files (*.gsm)

Voc Files (*.voc)

*.voc

Dialogic Vox Files (*.vox)

Qualcomm PureVoice Files (*.qcp)

*.qcp

Raw Audio Files (*.raw)

MIDI Files (*.mid, *.smf)

*.mid;*.smf

DS2 Files (*.ds2)

*.ds2

DSS Files (*.dss)

*.dss

Sony Memory Stick Voice Files (*.msv)

*.msv

Sony Digital Voice Files (*.dvf)

*.dvf

Dictation Files (*.dct)

*.dct

Record Files (*.act, *.rcd, *.rec)

*.act;*.rcd;*.rec

Shorten Files (*.shn)

*.shn

AMR Narrowband Audio Files (*.amr)

PC Dart Files (*.dart)

*.dart

IMS Files (*.moh)

*.moh

Musepack Files (*.mpc)

Speex Audio Files (*.spx)

Opus Files (*.opus)

WavPack Audio Files (*.wv)

Windows Media Video Files (*.wmv, *.asf)

*.wmv;*.asf

MPEG Video Files (*.mpg, *.mpeg)

*.mpg;*.mpeg

Audio Video Interleave Files (*.avi)

*.avi

This file is not supported by MixPad:

Exporting MIDI Clip

Exporting a MIDI clip to an audio file can be time-consuming. Continue?

Export Project

Your project was successfully exported.

Project Export

nch.%s

"URL:%s Protocol"

URL Protocol

%s\shell\open\command

"%s\%s.exe" "%%1"

%s\DefaultIcon

"%s.exe,1"

Only 250 tracks supported.

Track %d Clips Mixed

Important

VST Support

VST Plugin (*.dll)

*.dll

Mixpad does not support VSTi automation, please choose another one.

There are no audio clips inside the control track (Track Index %d)

Analyzing Track %d's dB Level

Could not load VST plugin " %s ", please restore your VST file and reopen your MixPad project.

MixPad - Track %d - %s

The file you have selected is not supported by MixPad. Please select an audio file, video file or MixPad project file.

The Clip %s is locked. Please unlock it before deleting.

%s (%d)

You are trying to join multiple take clips. Please delete unneeded takes and try again.

Join Clips Error

Please select two or more clips you want to join.

Can't join MIDI clips with audio clips. Please select the same kind of clips.

ClipJoin

To apply pitch correction, please select a portion of a clip that is between 5 milliseconds and 20 seconds.

Track %d is attempting to use the MIDI device '%s' for recording, but is unable to do so because you have configured this device to be used as a hardware controller. Please disable MIDI hardware control if you wish to use this device for recording.

Currently MixPad does not support the multiple takes feature for MIDI recording. Please record by sound device, clear the selection on the timeline, or disable loop mode.

Uploading project file '%s' to DropBox

BtClipCrtd

nch.mixpad://authsoundcloud

Welcome.mp3

Music.mp3

There is a Bookmark at position %s, please move cursor line position and try again.

hXXp://VVV.nch.com.au/mixpad/tutorial.html

Mixpad_Clip_%d.wav

Failed to export clip to temporary wav file.

Use: Take -

This audio file contains %d channels. Would you like to load each channel to separate tracks, or load first two channels into one stereo clip?

%s %d

%s %s %d

Applying fade points for %s

%s %s

%d_%d-%d-%d_%d-%d-%d.%s

%d_%d-%d-%d_%d-%d-%d_%s

Volume: %d dB

Pan: -%%

Pan: -%%Right

Pan: -%%Left

Take ID: %d

Total Takes: %d

Position: %s, dB: -%lc

Position: %s / dB: %d

Position: %s / Pan: %.2f

%s - %s %d - %s

%s: -%lc dB

%s: %d dB

%s: -%%

Load %s Failed

%s / %s

%d%% Left

%d%% Right

Track Volume %d dB

Position: %d MS, Percent: %.2f

Speaker %s:

bShowNoSoundMsg

The file %s does not exist or cannot be accessed.

hXXp://VVV.nch.com.au/wavepad/free-vst-plugins.html

The path: "%s" is invalid.

Note: %d

Controller: %d, Value: %d

Program Change: %d

Message %d, Data1 %d, Data2 %d

Jog Wheel %d

Message %d

Value %d

Control: %d

Speaker id %d

TrackMidiPlayVirtual%d

TrackVSTi%d

TrackMonitorMIDI%d

TrackMonitorMIDIVSTi%d

%s_channel%d.wav

%d-%d-%d_%d-%d-%d_%d%s

%d-%d-%d_%d-%d-%d_%d.%s

Track %d

Volume level: %d. Drag to change volume level.

*.kit

Beat Designer - Effects - Track %d

Export Error

Beat Designer Export

Beat Designer does not support such a type

Exporting to file

Exporting to file failed.

.pattern

Do you want to overwrite the existing pattern: "%s" ?

hXXp://VVV.audiochannel.net/stock/audio/mixpaddrumpacks/pack1.zip

pack1.zip

hXXp://VVV.nch.com.au/mixpad/tutorial.html#beatmaker

*.pattern

The file %s is not a valid file. You must select a file which was created with the Beat Designer.

New Sound %d

One instrument can only support 20 files at most and all other files will be ignored.

Change divisions and key

Bind Key:

No Key Bind

NUMPAD %d

%d/%d

%s -mpopen

*.mid

LastUsedExportExtension

Midi Editor Export

Do not support such a file type.

Exporting

Midi File (*.mid)

Keyboard Options

%s%s%d

%s - %s: %d

Value: %d, Time: %d ms

Value: %f, Time: %d ms

Volume: %d, Time: %d ms

Channel %d

Note: %s

Start: %d

End: %d

Start: %d ms Note: %s

End: %d ms Note: %s

Velocity: %d

1/%d (%d divisions per beat)

1/%d (%d division per beat)

CommandID%d

TrackIndex%d

MidiMessage%d

MidiData1%d

MidiData2%d

MidiSet%d

MidiDeviceJogWheel%d

JogWheelMessage%d

JogWheelData1%d

JogWheelData2%d

Parameter -

%d dB

%d ms

%d.%s

Track %d is used as a control track, please deselect it or use another track as control track.

Choose Export File...

*.264;*.3gp;*.asf;*.asx;*.avi;*.bik;*.dat;*.div;*.divx;*.dv;*.flc;*.flv;*.gif;*.m2t;*.m2ts;*.m4v;*.mjpeg;*.mkv;*.mov;*.mp4;*.mp4v;*.mpeg;*.mpg;*.mts;*.mtv;*.ogg;*.ogm;*.ogv;*.swf;*.ts;*.ts4;*.vob;*.webm;*.wmv;*.xvid;

Please choose another file, MixPad does not support the file type you selected.

AVI File (*.avi)

WMV File (*.wmv)

*.wmv

ASF File (*.asf)

*.asf

MPG File (*.mpg)

*.mpg

MOV File (*.mov)

*.mov

MP4 File (*.mp4)

*.mp4

FlV File (*.flv)

*.flv

RM File (*.rm)

DV File (*.dv)

SWF File (*.swf)

*.swf

ExportVideoFolder

Temp%d.wav

.wavpcm

.sndt

.sndr

.vorbis

.nist

.maud

.mat5

.mat4

.lpc10

.ircam

.hcom

.gsrt

.fssd

.dvms

.cvsd

.cdda

.amr-wb

.amr-nb

Bag pipe

"%s" "%s" "%s" -d

"%s" -x "%s" "%s"

"%s" -d -o "%s" -F "%s"

"%s" -o "%s" "%s"

<Sports>

Opera

Speex ACM Codec xiph.org

(unverified) For the Record - hXXp://VVV.fortherecord.com

Aureal Semiconductor RAW SPORT

Windows Media Audio Lossless V9

Windows Media Audio Professional V9

Windows Media Audio V2 V7 V8 V9 / DivX audio (WMA) / Alex AC3 Audio

Windows Media Audio V1 / DivX audio (WMA)

Sipro Lab Telecom ACELP.KELVIN

Sipro Lab Telecom ACELP.net

Microsoft Windows Media, RT Voice

Compaq Computer VSELP (codec for Windows CE 2.0 devices)

Low Pass Shelf

High Pass Shelf

Band Pass

webpage

tar.gz

webp

hXXp://VVV.nchsoftware.com/encrypt/

hXXp://VVV.nch.com.au/ivm/

hXXp://VVV.nch.com.au/ims/

hXXp://VVV.nch.com.au/soundtap/

hXXp://VVV.nch.com.au/rip/

hXXp://VVV.nchsoftware.com/invoice/

hXXp://VVV.nchsoftware.com/accounting/

hXXp://VVV.nchsoftware.com/capture/

hXXp://VVV.nchsoftware.com/zip/

hXXp://VVV.nchsoftware.com/documentconvert/

hXXp://VVV.nchsoftware.com/imageconverter/

hXXp://VVV.nchsoftware.com/prism/

hXXp://VVV.nch.com.au/switch/

hXXp://VVV.nchsoftware.com/slideshow/

hXXp://VVV.nch.com.au/wavepad/

hXXp://VVV.nchsoftware.com/videopad/

hXXp://VVV.nch.com.au/scribe/

hXXp://VVV.nch.com.au/mixpad/

hXXp://VVV.nchsoftware.com/presentation/

hXXp://VVV.nch.com.au/burn/

hXXp://VVV.nchsoftware.com/animation/

hXXp://VVV.nchsoftware.com/design/

hXXp://VVV.nchsoftware.com/drawpad/

hXXp://VVV.nchsoftware.com/cdlabeler/

hXXp://VVV.nch.com.au/notation/

Portable Anymap

Portable Network Graphics

Joint Photographic Experts Group

.wbmp

.tiff

.jpeg

FTP file transfers

Upload your website using ftp

Manage stock, procurements and reporting

Track and Report Income and Expenditures

Zulu Disc Jockey Software

Clean and optimize your Windows registry by removing the old and damaged data that is bogging down your computer performance.

Voxal is a real time voice changing program. Change your voice live through speakers, in softphone calls, or any application or game that uses a microphone.

Universal audio converting software supports all popular audio formats including mp3, wma, wav, midi, m4a, and more. Use it to convert and compress sound files.

Orion finds and recovers deleted files on hard drives, external and portable drives. Or use the drive scrubber to ensure deleted files can't be recovered.

Key Blaze Typing Tutor Software

A powerful FTP client that integrates with File Explorer for manual or automatic file uploading, or sync/mirror files and folders via FTP.

Fling FTP Sync Software Client

Use this text expansion software to create keyboard shortcuts that will expand to an entire word, sentence, paragraph or document. A useful time saving tool.

Digital dictation software to record and send dictation for transcription directly from your computer, or dock and send dictation from a portable device.

Professional accounting software to manage and report business income and expenses, sales, invoices and payments. Great for small to medium-sized companies.

Easy to use video recording software lets you capture and record video from a webcam, your computer screen, an external video device or online streaming video.

Easy and reliable FTP client software. View, edit, upload, download, delete and otherwise manage files on a remote server, website or network.

Classic FTP - FTP Client Software

Use your PC to broadcast live or recorded video from a webcam, computer screen or video input device. Video streams will play in all popular web browsers.

Session at Once burning FAILED to customize the track pause and/or write CD-TEXT, it may be your drive does not support this. The disc was still burned successfully and can be played.

Burner does not support MMC, unusable by Express Burn

Unsupported format of DVD disc

empty.MID

hXXps://secure.nch.com.au/cgi-bin/register.exe?software=mixpad&source=softwaretrial

mhXXp://VVV.nchsoftware.com

A full list of our products can be found at the below website. You may find another product that is more suitable for your needs.

(v %s)

Scarica e installa in Italiano (v %s)

ais (v %s)

ol (v %s)

Download and install in English (v %s)

Auf Deutsch (V %s) herunterladen und installieren

(v %s)

hXXp://VVV.nch.com.au/components/mpsetup.exe

hXXp://VVV.nch.com.au/mixpad/mpsetup.exe

hXXp://VVV.nch.com.au/components/ko/mpsetup.exe

hXXp://VVV.nch.com.au/mixpad/ko/mpsetup.exe

hXXp://VVV.nch.com.au/components/it/mpsetup.exe

hXXp://VVV.nch.com.au/mixpad/it/mpsetup.exe

hXXp://VVV.nch.com.au/components/jp/mpsetup.exe

hXXp://VVV.nch.com.au/mixpad/jp/mpsetup.exe

hXXp://VVV.nch.com.au/components/fr/mpsetup.exe

hXXp://VVV.nch.com.au/mixpad/fr/mpsetup.exe

hXXp://VVV.nch.com.au/components/es/mpsetup.exe

hXXp://VVV.nch.com.au/mixpad/es/mpsetup.exe

hXXp://VVV.nch.com.au/components/de/mpsetup.exe

hXXp://VVV.nch.com.au/mixpad/de/mpsetup.exe

%d.%d

Global\%s

%d:%d:%d

%d-%d-%d

%d.%d.%d.%d

Software\NCH Software\Components\%s

VVV.nch.com.au/mixpad

splash.jpg

MixPad Multitrack Recording Software.lnk

NCH Software.lnk

NCH Suite.lnk

Software\Microsoft\Windows\CurrentVersion\Uninstall\MixPad

URLInfoAbout

URLUpdateInfo

Software\Microsoft\Windows\CurrentVersion

uninst.exe

Uninstall is complete. We are sorry to see you go. If you change your mind and decide to reinstall MixPad, please visit VVV.nchsoftware.com.

%d-%d-%%d

File "%s" already exists. Do you want to overwrite it?

hXXp://VVV.nch.com.au/upgrade/index.html?software=mixpad&upgradeid=%d&upgradekey=%s

hXXp://VVV.nch.com.au/activate/index.html?code=%s

hXXp://VVV.nch.com.au/suggestions/index.html?software=MixPad&version=4.27%s%s

hXXp://VVV.nchsoftware.com/software/newsletter.html?software=MixPad&version=4.27%s%s

hXXp://VVV.nch.com.au/software/audio.html

hXXp://VVV.facebook.com/NCHSoftware

hXXp://twitter.com/nchsoftware

hXXps://plus.google.com/ nchsoftware

hXXps://play.google.com/store/apps/details?id=com.nchsoftware.mixpad_free

hXXp://VVV.amazon.com/gp/product/b00fepdqpm

hXXp://itunes.apple.com/app/id883901115

hXXp://VVV.facebook.com/sharer/sharer.php?u=%s

hXXp://VVV.twitter.com/?status=%s%s

hXXps://plusone.google.com/_/ 1/confirm?hl=en&url=%s

hXXp://VVV.stumbleupon.com/submit?url=%s&title=NCH Software

hXXp://VVV.linkedin.com/shareArticle?url=%s&title=NCH Software&mini=true

hXXp://VVV.nch.com.au/software/thanks.html

MixPad Multitrack Recording Software

hXXp://VVV.nch.com.au/software/rateit.html?software=MixPad&appname=%s&version=4.27&rating=%d&buyoffer=mixpad&os=Win%s&lang=en&base=mixpad&domain=nch%s%s%s%s&instby=%s

Certify that MixPad is being used for non-commercial, home use only

hXXp://VVV.nch.com.au/software/thanksforusing.html

&usage=XX

Installer.exe

A party who intends to seek arbitration must first send to the other, by certified mail, a written Notice of Dispute ("Notice"). The Notice to NCH should be addressed to:

A. The arbitration will be governed by the Commercial Arbitration Rules and the Supplementary Procedures for Consumer Related Disputes (collectively, "AAA Rules") of the American Arbitration Association ("AAA"), as modified by this Agreement, and will be administered by the AAA. The AAA Rules are available online at adr.org, by calling the AAA at 1-800-778-7879, or by writing to the Notice Address. The arbitrator is bound by the terms of this Agreement. All issues are for the arbitrator to decide, including issues relating to the scope and enforceability of the arbitration provision. Unless NCH and you agree otherwise, any arbitration hearings will take place in Greenwood Village Colorado. If your claim is for $10,000 or less, we agree that you may choose whether the arbitration will be conducted solely on the basis of documents submitted to the arbitrator, through a telephonic hearing, or by an in-person hearing as established by the AAA Rules. If your claim exceeds $10,000, the right to a hearing will be determined by the AAA Rules. Regardless of the manner in which the arbitration is conducted, the arbitrator shall issue a reasoned written decision. NCH will pay all AAA filing, administration, and arbitrator fees for any arbitration initiated in accordance with the notice requirements above. If, however, the arbitrator finds that either the substance of your claim or the relief sought in the Demand is frivolous or brought for an improper purpose then the payment of all such fees will be governed by the AAA Rules. In such case, you agree to reimburse NCH for all monies previously disbursed by it that are otherwise your obligation to pay under the AAA Rules. In addition, if you initiate an arbitration in which you seek more than $75,000 in damages, the payment of these fees will be governed by the AAA rules.

B. The arbitrator may award declaratory or injunctive relief only in favor of the individual party seeking relief and only to the extent necessary to provide relief warranted by that party's individual claim. YOU AND NCH AGREE THAT EACH MAY BRING CLAIMS AGAINST THE OTHER ONLY IN YOUR OR ITS INDIVIDUAL CAPACITY, AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS OR REPRESENTATIVE PROCEEDING. Further, unless both you and NCH agree otherwise, the arbitrator may not consolidate more than one person's claims, and may not otherwise preside over any form of a representative or class proceeding. If this specific provision is found to be unenforceable, then the entirety of this arbitration provision shall be null and void.

Please check you have exited any previous running instances of MixPad Multitrack Recording Software and any other programs that might be using the file "%s". Then run the installer again.

Installation cannot be completed because the file "%s" cannot be written to.

hXXp://cgi.nch.com.au/cgi-bin/report.exe

c:\program files (x86)\

Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\%s\UserChoice

Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\%s

NCH.MixPad%s

MixPad.BAK

%s\FileAssociations

reg.exe

%s\OpenWithProgIds

Software\Classes\%s\OpenWithProgIds

Applications\mixpad.exe

%sfile

%s,%d

%s\shell

"%s" "%%L"

Applications\mixpad.exe\shell\open\command

Applications\mixpad.exe\shell

Applications\mixpad.exe\DefaultIcon

software\classes\%s

-addremfiletyperun "%s" "%s" "%s" "%s" %d

software\classes\%s\shell\open\command

%s\Shell\%s\command

SystemFileAssociations\%s\Shell\%s\command

"%s" %s "%%L"

Software\Classes\%s\Shell\%s\command

Software\Classes\SystemFileAssociations\%s\Shell\%s\command

-addfiletyperunspecial "%s" "%s" "%s" %d

%s\Shell\%s

SystemFileAssociations\%s\Shell\%s

-remfiletyperunspecial "%s" "%s"

explorer.exe

Advapi32.dll

W"%s" %s

Error near(%d:%d): %s

explorer.exe /select,"%s"

hXXp://VVV.nchsoftware.com/%s.html

hXXp://VVV.nch.com.au/%s.html

hXXp://VVV.nch.com.au/kb/%d.html

hXXp://help.nchsoftware.com/help/en/%s/win%s/%s.html

&usagestats=%s(%d)

&usechoice=%s(%d)

?software=MixPad&appname=%s&version=4.27%s&base=mixpad&domain=nch&buyoffer=mixpad&pclass=plus&rgst=%d%s%s%s%s%s&instby=%s&help=%d

&days=%d&runs=%d

%s-%s

%%.ß

(EOF) Element <%s> should be terminated with </%s>. Check you have terminated your element properly.

Tag <%s> does not have a closing '>'

Misplaced </%s> which does not match a <%s>.

Element <%s> should be terminated with </%s>, was with %s. Check you have terminated your element properly.

Ln %d, Col %d: %s

@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\i420

@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\iyuv

fmm%s

%sLock

A bug in the VST plugin '%s' has caused MixPad to crash. If this keeps happening you may need to remove '%s' from your project.

KeyBlaze

cftpsetup

ClassicFTP

@device:sw:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\ffdshow video encoder

*.lnk

mixpadsetup_v4.27.exe

"%s" -uninstall

Software\Microsoft\%s

Software\NCH Software\MixPad\%s

Opening.Drive

Waiting.for.Drive.Ready

Get.Page.5

Get.Loaded.Media

-LQUIET -instby %sMixPad

%s (%s)

audiochannel.net

VVV.nch.com.au

An install-on-demand component could not be installed automatically. Please run it from the URL below then try again.

Software\%s\Components

_mixpad_rl_%s

Report Bug

Oops! MixPad had an abnormal termination. Help us fix this problem by clicking 'Report Bug' below and entering a bug report for our developers.

hXXp://VVV.nch.com.au/software/bug.html?software=MixPad&version=4.27&xi=AbTermOrHang-Win%d%d&data=%s

Win%d%d

Ukn0(Msg%dLstCmd%d)

(Cmd%d)

%s-%s-%s-%s

dbghelp.dll

osbits=%d&memphys=%d&cpu=%s

memfrhp=%d&memfrlg=%d

Abnormal Execution Problem

Help us fix this problem by clicking 'Report Bug' below, then sharing the details with our developers.

hXXp://VVV.nch.com.au/software/bug.html?software=MixPad&version=4.27&xi=GUI-%s&data=%s

Local\MixPadProcessEXE%s

-elevated %s %s

"%s" -exe %s

hXXps://secure.nch.com.au/cgi-bin/register.exe?software=mixpad&version=4.27%s%s%s%s%s%s%s%s&instby=%s%s%s

hXXp://VVV.nchsoftware.com/software/registered.html?software=%s&appname=%s&version=4.27&base=mixpad&domain=nch%s%s%s%s%s%s%s

ID - Key:

hXXp://VVV.nch.com.au/upgrade/index.html

%s Registration Code:

Register %s

Click here if you have not activated your 12-digit serial number online and have not received an ID-Key.

If you have already activated your serial number online, check your email for the ID-key. Then, click here to enter your ID-Key.

The code that you have entered is a license serial number. You must activate your serial number online to receive the ID-Key needed to register MixPad.

ID-Key is required to complete the registration.

The code you are attempting to use is not valid for version 4.27 of MixPad (it was for version %d.xx or previous versions).

- You are using the correct ID and key for the correct product. Only the ID and key for MixPad Multitrack Recording Software will be accepted.

support/reg

registration.txt

Name: %s

Location: %s

ID - Key: %d - %s

-clear -label "MixPad Multitrack Recording Software Installer" -type data "%s" "%s"

Validate Key

Key cannot be validated. Please connect to the internet and try again.

00:00:00

2016-07-01

Click here to go to the NCH Software website to view the latest pricing

Special discount pricing is available now! Sale ends at the end of %s.

Special discount pricing is available now! Sale ends in %d days.

The feature you are attempting to use is only available in the %s of MixPad. This requires an upgrade which you can purchase online.

%s - %s Version Required

%s Version Required

nch.com.au

nchsoftware.com

hXXp://VVV.%s/%s

Automatic download of the install-on-demand component "%s" failed.

The website will now be opened where you can download it manually.

Open Website

NCH Software\MixPad%s

MixPad%s

%sT%s

%s%sshmf%ii.bin.tmp

Click to visit the webpage for %s

Click to install and run %s

Click to run %s

MixPad Multitrack Recording Software cannot launch the program required to perform the selected task. Please go to nch.com.au/software to download it and try again.

hXXp://VVV.nchsoftware.com/%s

hXXp://VVV.nch.com.au/%s

hXXp://VVV.nchsoftware.com/software/index.html

hXXp://VVV.nchsoftware.com/software/newsletter.html%s%s

hXXps://secure.nch.com.au/cgi-bin/register.exe%s%s

hXXp://cgi.nch.com.au/cgi-bin/search.exe?q=%s&site=VVV.nchsoftware.com%s%s

Please enter keywords to search for

Click to visit our website

%s\shell\open

Parts of this software are copyright and fall under the Info-Zip License. To view the license terms please open VVV.nchsoftware.com/backup/kb/1188.html.

Zip file could not be opened: %s

File could not be extracted from Zip file: %s

About %s

This version 4.27 of MixPad Multitrack Recording Software will only work on Windows 10 or earlier. A newer version is available for download on VVV.nchsoftware.com.

Peak level: %s

Technical Support Page

Send Bug Report

%s%*c

topic%d

Software\NCH Software\%s

Software\NCH Swift Sound\%s

Quick Install-on-Demand %s

-extfind %s

Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.%s\UserChoice

Software\Classes\%s\shell\%s

%s\command

Software\Classes\%s\shell

Software\Classes\%s\DefaultIcon

Software\Classes\.%s

software\microsoft\windows\currentversion\explorer\fileexts\.%s\userchoice

"%s" -extfind %s "%%L"

%SystemRoot%\system32\shell32.dll,19

Software\Classes\%s\Shell\%s

Software\Classes\%s\Shell

hXXp://VVV.nch.com.au/index.html

An install-on-demand tool (%s) is required for this operation.

hXXp://VVV.nch.com.au/kb/10271.html

Run %s

NCH Software\%s\%s.exe

NCH Swift Sound\%s\%s.exe

%s "%s"

Software\Classes\%s\shell\open\command

Software\Classes\%s\shell\open

%s%s%s%s

hXXp://VVV.nch.com.au/software/likeit.html?software=MixPad&version=4.27%s&appname=%s&domain=nch&base=mixpad&email=%s%s%s

Report a Problem

Click here if you would like to report a problem with MixPad Multitrack Recording Software.

If you find any problems with this release please let us know by reporting them.

%s Home Page

23:59:59

notifications-en.txt

hXXp://VVV.audiochannel.net/components/notifications/mixpad.txt

File%d

%s v 4.27

Distributed by %s

Licensed User: %s

%s (Alt %c)

%s...

{8856F961-340A-11D0-A96B-00C04FD705A2}

d\\.\%s

%s/microsoft/windows mail/local folders/%s

SMTP_Server

SMTP_Email_Address

00000001

Software\Microsoft\Internet Account Manager\Accounts\%s

SMTP Email Address

SMTP Server

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\%s

{ED475418-B0D6-11D2-8C3B-00104B2A6676}

%s\%s\d

%s\Thunderbird

%s\profiles.ini

%s\%s\prefs.js

mail.accountmanager.defaultaccount

mail.account.%s.identities

mail.identity.%s.useremail

mail.smtp.defaultserver

mail.smtpserver.%s.hostname

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Eudora.exe

deudora.ini

eudora.ini

%s\Qualcomm\Eudora\eudora.ini

SMTPServer

Windows Mail

Mozilla Thunderbird

libeay32.dll

ssleay32.dll

Opening Dropbox internet webpage for authorization...

hXXps://VVV.dropbox.com/1/oauth/authorize?oauth_token=%s

Waiting to confirm authorization from the Dropbox webpage...

contents[%d]/path

contents[%d]/is_dir

contents[%d]/bytes

MixPad.exe

hXXps://accounts.google.com/o/oauth2/auth?client_id=301431521283-v33b6ahndtiem04eeqm7kampikh98sf0.apps.googleusercontent.com&redirect_uri=urn:ietf:wg:oauth:2.0:oob&response_type=code&include_granted_scopes=true&scope=%s

Authorizing %s to Use Google Account

Authorizing %s ...

hXXps://VVV.googleapis.com/auth/drive

VVV.googleapis.com

'%s' in parents and trashed=false

application/vnd.google-apps.folder

mimeType='application/vnd.google-apps.folder' and trashed=false

'%s' in parents and title='%s' and mimeType!='application/vnd.google-apps.folder' and trashed=false

Opening SoundCloud webpage for authorization...

hXXps://soundcloud.com/connect?client_id=2d8f643a6441be0aff5e4a798188eec1&client_secret=b6621cb29959018458c562d8037b69c0&redirect_uri=nch.mixpad://authsoundcloud&response_type=token&scope=non-expiring

%s.%s

Unsupported DCT file format version

Decryption key is incorrect

Attempting to skip extensible data in an encrypted dictation without the correct decryption key

Attachment%d%s

Loading DCT File: %s

%s Options

BandPassFrequencyStart

LEQBandPassDlg

BandPassFrequencyEnd

BandPassSlope

BandPassAmp

LEQHighPassDlg

RootURL

Converting to .APE. Please wait...

wmvcore.dll

g_wszNumPasses

speexenc

%s/%d.aud

%s Effects

The VST "%s" under the path "%s" may contain some potential errors.

Are you sure you want to delete this preset? This operation can't be undone.

Export Preset As .fxp File

Export Session Bank As .fxb File

Import Preset .fxp File

Import Session Bank .fxb File

Program File (*.fxp)

*.fxp

Bank File (*.fxb)

*.fxb

VSTPresetImportFolder

Import a Preset

This preset file is not a valid match for the %s plugin

VSTBankImportFolder

Import a Session Bank

This bank file is not a valid match for the %s plugin

%s (%s):

Effects Chain File *.ecf

*.ecf

Please input a valid bitrate value in kbps between %d and %d.

--bitrate %d

--raw --raw-rate %d --raw-chan %d

- "%s"

Read %s of %s

000:00:00.000

%d:%.2d:%.2d

%d:%.2d:%.2d.%.1d

%d:%.2d:%.2d.%.3d

Gain (%d Hz)

%d.%d.%d

%ds.%d

%ds.d

%ds.d

%dm:ds

-m:ds.d

%dh:dm

%d:d:d

%d:d:d.d

Ý,%dh

Ý,%dh:dm

Ý,%d:d:d

Ý,%d:d:d.d

Name: %s

Location: %s

Bars: %d Beats: %d, Tempo: %.2f (Switch to "Beats and Measures" mode to edit)

Bars: %d Beats: %d, Tempo: %.2f

Bars: %d Beats: %d, Tempo: /

%d.64.32

eWavCodec.wff

Joint

-C %d

-R %d

-b %d

-q %d

- -o "%s"

License terms for this component can be found at: hXXp://VVV.opensource.org/licenses/lgpl-license.php

%d Hz, %d Bits, %s

Windows Media Audio V1

Windows Media Audio V2

ACELP.net

C:\Windows\System32\%s

%s-%s-%s

%s:%s:%s

Supported Image Files

*.jpg;*.jpeg;*.jpe;*.jfif;*.jif;*.png

g(%d)

WM/AudioFileURL

Loading CD Track %d

Only supports conversion of CD tracks to mono or stereo.

bUseCDLookupHTTP

%s %s (%s)

%d:%.2d

Decoding %s file

MixPad Multitrack Recording Software could not locate a plugin for the file with extension "%s".

You will need to download and install the plugin yourself from here: hXXp://VVV.nch.com.au/components/%s.exe.

MixPad Multitrack Recording Software could not locate a plugin for the file with extension "%s". No plugin appears to be available, therefore this format may be unsupported. Visit hXXp://VVV.nch.com.au/components/index.html to check if there is a plugin for this format.

Unable to load the installed %s decoder component.

Unable to initiate the installed %s decoder component.

%s decoding failed.

Unable to open the %s file.

The file is not a valid %s file.

Unrecognized %s format variant.

%s file header removal failed.

s520.dll

Unable to load %s.

Unable to load decoder from %s.

Please check that the %s file is valid and complete.

a1600.dll

a1800.dll

a4800.dll

"%s" --channels=%d --sample-rate=%d --compression-level-%d --endian=little --bps=16 --sign=signed -f - -o "%s"

Converting to Monkey Audio Codec

ESYSTEM\CurrentControlSet\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}

Windows Record Mixer

--cbr -b %d

--abr %d -V %d -q %d

-b %d -V %d -q %d

"%s"%s -m %s%s %s -r -x -s %d.%.3d -S "%s" "%s"

hXXp://VVV.mp3dev.org

--quality %d

-m %d -M %d

Please enter a valid url.

<title>%s</title>

<description>%s</description>

<link>%s</link>

<title>%s</title>

<description>%s</description>

<enclosure url="%s" length="%d" type="audio/mpeg" />

dSound.dll

--rate %d

--vbr --vbr-max-bitrate %d

--abr %d

Searching and caching VSTs...Validating

%s/%s.fxp

Please enter a preset name with no more than %d characters.

%s/index.csv

hXXp://VVV.audiochannel.net/stock/audio

0:00:00.0

%s/%s/%s

%s//%s.mp3

Downloading for Preview: %s

%s/%s/%s.ns

%s\%s\%s.wav

%s\%s\%s.ns

preview_%s.ns

%s/%s/preview_%s.ns

%s/%s.ns

%s/%s/index.csv

Downloading %s..

The Sounds are provided to you with a lifetime non-transferable license for synchronization rights only. You have the right to synchronize the audio content with audio and/or visual productions or applications such as * film, video, DVD & TV productions * training, marketing and trade show presentations * corporate videos & educational applications * on hold messages & advertising * radio presentations & commercials * television presentations & commercials * live performances * speech & audio book products * Web pages & multimedia presentations * PowerPoint & Flash productions * interactive programs & computer games * AV & computer generated displays, podcasts (all such applications hereinafter referred to as "the Production"). You may create copies of the Production. If you sell, lease, give away or otherwise distribute copies of the Production, the rights and limitations to synchronized audio content as outlined are in effect for the life of the Production and pass automatically to the End User of the Production. All rights not expressly granted herein are reserved.

PluginFile %d

PluginHistoryLimit %d

PluginRealLimit %d

Windows Media Audio Voice 9

Windows Media Audio

WindowsMedia_Format

WindowsMedia_VideoCodec

WindowsMedia_VideoBitrate

WindowsMedia_SoundCodecIndex

WindowsMedia_SoundFormatIndex

WindowsMedia_VideoQuality

WindowsMedia_LiveSource

WEBM_VideoCodec

WEBM_AudioCodec

WEBM_VideoQuality

WEBM_AudioQuality

%s_XVID

%s_AVI

hXXp://ffmpeg.org

avutil-52.nch.dll

swscale-2.nch.dll

avcodec-55.nch.dll

avformat-55.nch.dll

swresample-0.nch.dll

f.wpp

.mjpeg

.moov

.mp4v

.rmvb

"%s" - -

"%s" -s %d -l %d -d -w -

FAAD2 AAC/HE-AAC/HE-AACv2/DRM decoder (c) Nero AG, VVV.nero.com

"%s" -o raw

Copyright (C) 2000-2002 Michel Lespinasse <walken@zoy.org>

Copyright (C) 1999-2000 Aaron Holtzman <aholtzma@ess.engr.uvic.ca>

"%s" %s - -

"%s" -C %d -R %d -b %d

"%s" -r

-s %d.d

-b %d --cbr --nores --nchvideo - -

4ddraw.dll

Codec component is corrupted, missing or inaccessible. Please delete the component %s and retry.

%s 00:00:00.000

%s %.2d:%.2d:%.2d.%.3d

Importing: %s

Importing Files

Converting to indexed color

Decoding %s image

Encoding %s image

v.clpi

*d*N*>*.*

LSPEEXENCODEDLG

Connect using HTTP

Use SMTP to send email directly to the mail server

SMTP mail host:

Password:

Send directly to other side (work as own SMTP server)

Root URL:

A full list of our products can be found at our below website. This may help you to find another product that is more suitable for your needs.

&ID - Key:

High-Pass Filter

BandPass Settings

HighPass Settings

Press Key

Press a key or a key combination.

MixPad requires your authorization before it can read or upload your videos to YouTube. The Google webpage must be accessed in order to authorize MixPad.

Export Options

Export selected work region only

Tag exported audio file with project meta-data

Bind key for this track:

Bind Key...

WindowsCleintc.exe_892:

.text

`.itext

`.data

.idata

.rdata

@.vmp0

`.reloc

@.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

%s_%d

EInvalidGraphicOperation

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes

%s, ClassID: %s

%s, ProgID: "%s"

ole32.dll

USER32.DLL

uxtheme.dll

DWMAPI.DLL

clWebSnow

clWebFloralWhite

clWebLavenderBlush

clWebOldLace

clWebIvory

clWebCornSilk

clWebBeige

clWebAntiqueWhite

clWebWheat

clWebAliceBlue

clWebGhostWhite

clWebLavender

clWebSeashell

clWebLightYellow

clWebPapayaWhip

clWebNavajoWhite

clWebMoccasin

clWebBurlywood

clWebAzure

clWebMintcream

clWebHoneydew

clWebLinen

clWebLemonChiffon

clWebBlanchedAlmond

clWebBisque

clWebPeachPuff

clWebTan

clWebYellow

clWebDarkOrange

clWebRed

clWebDarkRed

clWebMaroon

clWebIndianRed

clWebSalmon

clWebCoral

clWebGold

clWebTomato

clWebCrimson

clWebBrown

clWebChocolate

clWebSandyBrown

clWebLightSalmon

clWebLightCoral

clWebOrange

clWebOrangeRed

clWebFirebrick

clWebSaddleBrown

clWebSienna

clWebPeru

clWebDarkSalmon

clWebRosyBrown

clWebPaleGoldenrod

clWebLightGoldenrodYellow

clWebOlive

clWebForestGreen

clWebGreenYellow

clWebChartreuse

clWebLightGreen

clWebAquamarine

clWebSeaGreen

clWebGoldenRod

clWebKhaki

clWebOliveDrab

clWebGreen

clWebYellowGreen

clWebLawnGreen

clWebPaleGreen

clWebMediumAquamarine

clWebMediumSeaGreen

clWebDarkGoldenRod

clWebDarkKhaki

clWebDarkOliveGreen

clWebDarkgreen

clWebLimeGreen

clWebLime

clWebSpringGreen

clWebMediumSpringGreen

clWebDarkSeaGreen

clWebLightSeaGreen

clWebPaleTurquoise

clWebLightCyan

clWebLightBlue

clWebLightSkyBlue

clWebCornFlowerBlue

clWebDarkBlue

clWebIndigo

clWebMediumTurquoise

clWebTurquoise

clWebCyan

clWebPowderBlue

clWebSkyBlue

clWebRoyalBlue

clWebMediumBlue

clWebMidnightBlue

clWebDarkTurquoise

clWebCadetBlue

clWebDarkCyan

clWebTeal

clWebDeepskyBlue

clWebDodgerBlue

clWebBlue

clWebNavy

clWebDarkViolet

clWebDarkOrchid

clWebMagenta

clWebDarkMagenta

clWebMediumVioletRed

clWebPaleVioletRed

clWebBlueViolet

clWebMediumOrchid

clWebMediumPurple

clWebPurple

clWebDeepPink

clWebLightPink

clWebViolet

clWebOrchid

clWebPlum

clWebThistle

clWebHotPink

clWebPink

clWebLightSteelBlue

clWebMediumSlateBlue

clWebLightSlateGray

clWebWhite

clWebLightgrey

clWebGray

clWebSteelBlue

clWebSlateBlue

clWebSlateGray

clWebWhiteSmoke

clWebSilver

clWebDimGray

clWebMistyRose

clWebDarkSlateBlue

clWebDarkSlategray

clWebGainsboro

clWebDarkGray

clWebBlack

comctl32.dll

AutoHotkeysd-C

AutoHotkeys

\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

OnKeyDownL

OnKeyPress

OnKeyUpH

GlassFrame.Bottom

GlassFrame.Enabled

GlassFrame.Left

GlassFrame.Right

GlassFrame.SheetOfGlass

GlassFrame.Top

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

Uh.ID

User32.dll

TKeyEvent

TKeyPressEvent

HelpKeyword nA

crSQLWait

%s (%s)

imm32.dll

TSocketPort

%d.%d.%d.%d

0.0.0.0

PSAPI.dll

TDCWebCam

127.0.0.1

BuildImportTable: can't load library:

BuildImportTable: ReallocMemory failed

BuildImportTable: GetProcAddress failed

BTMemoryLoadLibary: BuildImportTable failed

BTMemoryGetProcAddress: no export table found

BTMemoryGetProcAddress: DLL doesn't export anything

BTMemoryGetProcAddress: exported symbol not found

1.2.3

127.0.0.1:1604

#KCMDDC51#-

5.3.0

cmd.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

hkey

\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

*.torrent

\Internet Explorer\iexplore.exe

explorer.exe

wlanapi.dll

80211_SHARED_KEY

user32.dll

TUploadFTP

notepad.exe

KEYNAME

%ShortCut#

RELATEDCMD

ping 127.0.0.1 -n 4 > NUL && "

DRKey

CRKey

DelMSKey

InstallHKEY

ActiveOnlineKeylogger

UnActiveOnlineKeylogger

KeylogOn

ActiveOfflineKeylogger

UnActiveOfflineKeylogger

ActiveOnlineKeyStrokes

UnActiveOnlineKeyStrokes

OpenWebPage

tmpprint.txt

URLUpdate

MSGBOX

#BOT#VisitUrl

#BOT#OpenUrl

HTTP://

hXXp://

BTRESULTOpen URL|

Command successfully executed!|

#BOT#URLUpdate

BTERRORUpdate from URL| Error on downloading file check if you type the correct url...|

BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...|

#BOT#URLDownload

GetActivePorts

out.txt

tmp.txt

DDOSHTTPFLOOD

DDOSUDPFLOOD

%IPPORTSCAN

SAPI.SpVoice

WEBCAMLIVE

WEBCAMSTOP

PASSWORD

FTPFILEUPLOAD

URLDOWNLOADTOFILE

UPLOADEXEC

UPANDEXEC

FTPPORT

FTPPASS

FTPUSER

FTPHOST

FTPROOT

FTPUPLOADK

FTPSIZE

BTRESULTUDP Flood|UDP Flood task finished!|

PortScanAdd

BTRESULTVisit URL|finished to visit

BTERRORVisit URL|An exception occured in the thread|

POST /index.php/1.0

BTRESULTHTTP Flood|Http Flood task finished!|

Mozilla

BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|

BTERRORDownload File| Error on downloading file check if you type the correct url...|

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

ERR|Cannot listen to port, try another one..|

TCaptureWebcam

taskmgr.exe

\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

DC3_FEXEC

Windows NT 4.0

Windows 2000

Windows XP

Windows Server 2003

Windows Vista

Windows 7

Windows 95

Windows 98

Windows Me

S-%u-

FAKEMSG

MSGICON

MSGTITLE

MSGCORE

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

advapi32.dll

RegOpenKeyExA

RegCloseKey

GetKeyboardType

keybd_event

VkKeyScanA

UnhookWindowsHookEx

SetWindowsHookExA

MsgWaitForMultipleObjectsEx

MsgWaitForMultipleObjects

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutNameA

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

ExitWindowsEx

EnumWindows

EnumThreadWindows

EnumChildWindows

ActivateKeyboardLayout

gdi32.dll

SetViewportOrgEx

version.dll

WinExec

PeekNamedPipe

GetWindowsDirectoryA

GetProcessHeap

GetCPInfo

CreatePipe

RegQueryInfoKeyA

RegOpenKeyA

RegFlushKey

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

RegCreateKeyA

wsock32.dll

shell32.dll

ShellExecuteExA

ShellExecuteA

SHFileOperationA

URLMON.DLL

URLDownloadToFileA

wininet.dll

InternetOpenUrlA

HttpQueryInfoA

FtpPutFileA

winmm.dll

netapi32.dll

gdiplus.dll

GdiplusShutdown

msacm32.dll

ntdll.dll

WS2_32.DLL

SHFolder.dll

SHELL32.DLL

AVICAP32.DLL

hGSO

1!1,1=1|1

6 6$6(6,606

=!=$=)=-=1=

01m1

0 0$0(0,0004080<0@0

<!=$=)=-=4=

;"<?<_<|<

; ;$;(;,;0;4;8;<;@;

7 8$888<8

= =$=(=,=0=4=8=

UntKeylogger

KWindows

UntActivePorts

UntControlKey

UntCaptureWebcam

UntWebCam

UrlMon

(UntUploadFTPThread

UntFTP

_UntUDPFlood

YUntScanPorts

0UntPasswordAndData

XUntHTTPFlood

UntCPU

66006666

No help found for %s#No context-sensitive help installed

No help found for context$No topic-based help system installedNUnable to retrieve a pointer to a running object registered with OLE for %s/%s

Invalid clipboard format Clipboard does not support Icons

Cannot open clipboard/Menu '%s' is already being used by another form

- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Not enough timers available@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active$%s not in a class registration group

Property %s does not exist

Thread creation error: %s

Thread Error: %s (%d)

Unsupported clipboard format

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to create key %s

Failed to get data for '%s'

Failed to set data for '%s'

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

No argument for format '%s'"Variant method calls not supported

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

!'%s' is not a valid integer value('%s' is not a valid floating point value!'%s' is not a valid date and time

'%s' is not a valid GUID value

I/O error %d

1, 0, 0, 1

MSRSAAP.EXE

4, 0, 0, 0

WindowsCleintc.exe_892_rwx_00400000_000C2000:

.text

`.itext

`.data

.idata

.rdata

@.vmp0

`.reloc

@.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

%s_%d

EInvalidGraphicOperation

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes

%s, ClassID: %s

%s, ProgID: "%s"

ole32.dll

USER32.DLL

uxtheme.dll

DWMAPI.DLL

clWebSnow

clWebFloralWhite

clWebLavenderBlush

clWebOldLace

clWebIvory

clWebCornSilk

clWebBeige

clWebAntiqueWhite

clWebWheat

clWebAliceBlue

clWebGhostWhite

clWebLavender

clWebSeashell

clWebLightYellow

clWebPapayaWhip

clWebNavajoWhite

clWebMoccasin

clWebBurlywood

clWebAzure

clWebMintcream

clWebHoneydew

clWebLinen

clWebLemonChiffon

clWebBlanchedAlmond

clWebBisque

clWebPeachPuff

clWebTan

clWebYellow

clWebDarkOrange

clWebRed

clWebDarkRed

clWebMaroon

clWebIndianRed

clWebSalmon

clWebCoral

clWebGold

clWebTomato

clWebCrimson

clWebBrown

clWebChocolate

clWebSandyBrown

clWebLightSalmon

clWebLightCoral

clWebOrange

clWebOrangeRed

clWebFirebrick

clWebSaddleBrown

clWebSienna

clWebPeru

clWebDarkSalmon

clWebRosyBrown

clWebPaleGoldenrod

clWebLightGoldenrodYellow

clWebOlive

clWebForestGreen

clWebGreenYellow

clWebChartreuse

clWebLightGreen

clWebAquamarine

clWebSeaGreen

clWebGoldenRod

clWebKhaki

clWebOliveDrab

clWebGreen

clWebYellowGreen

clWebLawnGreen

clWebPaleGreen

clWebMediumAquamarine

clWebMediumSeaGreen

clWebDarkGoldenRod

clWebDarkKhaki

clWebDarkOliveGreen

clWebDarkgreen

clWebLimeGreen

clWebLime

clWebSpringGreen

clWebMediumSpringGreen

clWebDarkSeaGreen

clWebLightSeaGreen

clWebPaleTurquoise

clWebLightCyan

clWebLightBlue

clWebLightSkyBlue

clWebCornFlowerBlue

clWebDarkBlue

clWebIndigo

clWebMediumTurquoise

clWebTurquoise

clWebCyan

clWebPowderBlue

clWebSkyBlue

clWebRoyalBlue

clWebMediumBlue

clWebMidnightBlue

clWebDarkTurquoise

clWebCadetBlue

clWebDarkCyan

clWebTeal

clWebDeepskyBlue

clWebDodgerBlue

clWebBlue

clWebNavy

clWebDarkViolet

clWebDarkOrchid

clWebMagenta

clWebDarkMagenta

clWebMediumVioletRed

clWebPaleVioletRed

clWebBlueViolet

clWebMediumOrchid

clWebMediumPurple

clWebPurple

clWebDeepPink

clWebLightPink

clWebViolet

clWebOrchid

clWebPlum

clWebThistle

clWebHotPink

clWebPink

clWebLightSteelBlue

clWebMediumSlateBlue

clWebLightSlateGray

clWebWhite

clWebLightgrey

clWebGray

clWebSteelBlue

clWebSlateBlue

clWebSlateGray

clWebWhiteSmoke

clWebSilver

clWebDimGray

clWebMistyRose

clWebDarkSlateBlue

clWebDarkSlategray

clWebGainsboro

clWebDarkGray

clWebBlack

comctl32.dll

AutoHotkeysd-C

AutoHotkeys

\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

OnKeyDownL

OnKeyPress

OnKeyUpH

GlassFrame.Bottom

GlassFrame.Enabled

GlassFrame.Left

GlassFrame.Right

GlassFrame.SheetOfGlass

GlassFrame.Top

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

Uh.ID

User32.dll

TKeyEvent

TKeyPressEvent

HelpKeyword nA

crSQLWait

%s (%s)

imm32.dll

TSocketPort

%d.%d.%d.%d

0.0.0.0

PSAPI.dll

TDCWebCam

127.0.0.1

BuildImportTable: can't load library:

BuildImportTable: ReallocMemory failed

BuildImportTable: GetProcAddress failed

BTMemoryLoadLibary: BuildImportTable failed

BTMemoryGetProcAddress: no export table found

BTMemoryGetProcAddress: DLL doesn't export anything

BTMemoryGetProcAddress: exported symbol not found

1.2.3

127.0.0.1:1604

#KCMDDC51#-

5.3.0

cmd.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

hkey

\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

*.torrent

\Internet Explorer\iexplore.exe

explorer.exe

wlanapi.dll

80211_SHARED_KEY

user32.dll

TUploadFTP

notepad.exe

KEYNAME

%ShortCut#

RELATEDCMD

ping 127.0.0.1 -n 4 > NUL && "

DRKey

CRKey

DelMSKey

InstallHKEY

ActiveOnlineKeylogger

UnActiveOnlineKeylogger

KeylogOn

ActiveOfflineKeylogger

UnActiveOfflineKeylogger

ActiveOnlineKeyStrokes

UnActiveOnlineKeyStrokes

OpenWebPage

tmpprint.txt

URLUpdate

MSGBOX

#BOT#VisitUrl

#BOT#OpenUrl

HTTP://

hXXp://

BTRESULTOpen URL|

Command successfully executed!|

#BOT#URLUpdate

BTERRORUpdate from URL| Error on downloading file check if you type the correct url...|

BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...|

#BOT#URLDownload

GetActivePorts

out.txt

tmp.txt

DDOSHTTPFLOOD

DDOSUDPFLOOD

%IPPORTSCAN

SAPI.SpVoice

WEBCAMLIVE

WEBCAMSTOP

PASSWORD

FTPFILEUPLOAD

URLDOWNLOADTOFILE

UPLOADEXEC

UPANDEXEC

FTPPORT

FTPPASS

FTPUSER

FTPHOST

FTPROOT

FTPUPLOADK

FTPSIZE

BTRESULTUDP Flood|UDP Flood task finished!|

PortScanAdd

BTRESULTVisit URL|finished to visit

BTERRORVisit URL|An exception occured in the thread|

POST /index.php/1.0

BTRESULTHTTP Flood|Http Flood task finished!|

Mozilla

BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|

BTERRORDownload File| Error on downloading file check if you type the correct url...|

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

ERR|Cannot listen to port, try another one..|

TCaptureWebcam

taskmgr.exe

\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

DC3_FEXEC

Windows NT 4.0

Windows 2000

Windows XP

Windows Server 2003

Windows Vista

Windows 7

Windows 95

Windows 98

Windows Me

S-%u-

FAKEMSG

MSGICON

MSGTITLE

MSGCORE

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

advapi32.dll

RegOpenKeyExA

RegCloseKey

GetKeyboardType

keybd_event

VkKeyScanA

UnhookWindowsHookEx

SetWindowsHookExA

MsgWaitForMultipleObjectsEx

MsgWaitForMultipleObjects

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutNameA

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

ExitWindowsEx

EnumWindows

EnumThreadWindows

EnumChildWindows

ActivateKeyboardLayout

gdi32.dll

SetViewportOrgEx

version.dll

WinExec

PeekNamedPipe

GetWindowsDirectoryA

GetProcessHeap

GetCPInfo

CreatePipe

RegQueryInfoKeyA

RegOpenKeyA

RegFlushKey

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

RegCreateKeyA

wsock32.dll

shell32.dll

ShellExecuteExA

ShellExecuteA

SHFileOperationA

URLMON.DLL

URLDownloadToFileA

wininet.dll

InternetOpenUrlA

HttpQueryInfoA

FtpPutFileA

winmm.dll

netapi32.dll

gdiplus.dll

GdiplusShutdown

msacm32.dll

ntdll.dll

WS2_32.DLL

SHFolder.dll

SHELL32.DLL

AVICAP32.DLL

hGSO

1!1,1=1|1

6 6$6(6,606

=!=$=)=-=1=

01m1

0 0$0(0,0004080<0@0

<!=$=)=-=4=

;"<?<_<|<

; ;$;(;,;0;4;8;<;@;

7 8$888<8

= =$=(=,=0=4=8=

UntKeylogger

KWindows

UntActivePorts

UntControlKey

UntCaptureWebcam

UntWebCam

UrlMon

(UntUploadFTPThread

UntFTP

_UntUDPFlood

YUntScanPorts

0UntPasswordAndData

XUntHTTPFlood

UntCPU

66006666

No help found for %s#No context-sensitive help installed

No help found for context$No topic-based help system installedNUnable to retrieve a pointer to a running object registered with OLE for %s/%s

Invalid clipboard format Clipboard does not support Icons

Cannot open clipboard/Menu '%s' is already being used by another form

- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Not enough timers available@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active$%s not in a class registration group

Property %s does not exist

Thread creation error: %s

Thread Error: %s (%d)

Unsupported clipboard format

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to create key %s

Failed to get data for '%s'

Failed to set data for '%s'

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

No argument for format '%s'"Variant method calls not supported

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

!'%s' is not a valid integer value('%s' is not a valid floating point value!'%s' is not a valid date and time

'%s' is not a valid GUID value

I/O error %d

1, 0, 0, 1

MSRSAAP.EXE

4, 0, 0, 0

notepad.exe_2132:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

msvcrt.dll

COMDLG32.dll

SHELL32.dll

WINSPOOL.DRV

ole32.dll

SHLWAPI.dll

COMCTL32.dll

OLEAUT32.dll

VERSION.dll

ntdll.dll

RegCloseKey

RegCreateKeyW

RegOpenKeyExW

GetProcessHeap

SetViewportExtEx

GetKeyboardLayout

_amsg_exit

_acmdln

ShellExecuteExW

notepad.pdb

name="Microsoft.Windows.Shell.notepad"

version="5.1.0.0"

<description>Windows Shell</description>

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

<windowsSettings>

<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

</windowsSettings>

===111*!

'141133!/!(!(!""/""

;;;;4;3423332

keYM

,k<.KQ

.WF"hB

dx.Rl

V.xOx_T

<'<.<9<_<

/.SETUP

%s%c*.txt%c%s%c*.*%c

*.txt

mshelp://windows/?id=5d18d5fb-e737-4a73-b6cc-dccc63720231

\StringFileInfo\xx\OriginalFilename

\sppsvc.exe

\slui.exe

\sppuinotify.dll

Text Documents (*.txt)

6.1.7600.16385 (win7_rtm.090713-1255)

NOTEPAD.EXE

Windows

Operating System

6.1.7600.16385

notepad.exe_2132_rwx_00060000_00001000:

kernel32.dll

notepad.exe_2132_rwx_00070000_00001000:

user32.dll

notepad.exe_2132_rwx_001A0000_00001000:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WindowsCleintc.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   WindowsCleintc.exe:3636
   7818dbfd-e4e5-4941-8ccd-119c736fa192.exe:3944
   WScript.exe:536
   mpsetup.exe:3932
   %original file name%.exe:260
   WindowsClient.exe:1100
   WindowsClient.exe:3712

2. Delete the original Backdoor file.
   
3. Delete or disinfect the following files created/modified by the Backdoor:
   

   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar5773.tmp (2712 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A (212 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ih8sn0w_com[1].htm (331 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_0846D508E2BCE39E6E88CB882AB20A90 (660 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (325 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\828298824EA5549947C17DDABF6871F5_6B5C8B321CA02275A82E95FA81D6DE62 (1068 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_6B5C8B321CA02275A82E95FA81D6DE62 (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab5772.tmp (52 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08 (1542 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_0846D508E2BCE39E6E88CB882AB20A90 (463 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_ABF444171F51EB141946978F75755905 (1464 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (876 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\v1[1].js (24924 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A (893 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08 (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1480 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_ABF444171F51EB141946978F75755905 (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ce8036a4-9d31-4bb1-9078-dfd8b09bce3f\938418274.vbs (511 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ce8036a4-9d31-4bb1-9078-dfd8b09bce3f\mpsetup.exe (18795 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.dat (9 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.cab (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.cab (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.exe (61481 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp994424152.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ih8sn0w_com[1].htm (178 bytes)
   C:\ProgramData\WindowsClient.exe (219797 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WindowsCleintc.exe (32727 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3CD4.tmp (2712 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab564E.tmp (52 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (52 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3C06.tmp (51 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ih8sn0w_com[1].htm (331 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3C07.tmp (2712 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7818dbfd-e4e5-4941-8ccd-119c736fa192.exe (50 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar564F.tmp (2712 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1720 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3CD3.tmp (51 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WindowsCleintc.exe"
   
   

5. Remove the references to the Backdoor by modifying the following registry value(s) (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   "UserInit" = "C:\Windows\system32\userinit.exe,C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WindowsCleintc.exe"

6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.