MD5: 9bfc3f77e3abfe209e0992e616294c1c
SHA1: 6cc7dec0bdc1bd2bc81956b7728b18ae460f4ee7
SHA256: f7bb52792994ce4ff255a7e32acd52201effa6889ad6f2221468f0b2aec9a558
SSDeep: 49152:vKVCiW3Qb1mzjWUSnRrKS3mKdLR6SAeF1kgKOGXUCQ xyOD:Xs1mV9AmK14gZGX/Q6yOD
Size: 2278400 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-10-31 05:28:47
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

OXKQdheGPi.exe:3408
RDiR.exe:3360
%original file name%.exe:1796

The Trojan injects its code into the following process(es):

RegSvcs.exe:3500
RegSvcs.exe:3396

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process OXKQdheGPi.exe:3408 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ykwxeum (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\RDiR.exe (1874 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1BF8.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\ecFfA.au3 (1 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ykwxeum (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1BF8.tmp (0 bytes)

The process RDiR.exe:3360 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CfdSACDBWJVW.lnk (846 bytes)

The process RegSvcs.exe:3396 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Imminent\Logs\03-11-2016 (354 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\audioHQdriver\audioHQdriver.exe (44 bytes)

The process %original file name%.exe:1796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\OXKQdheGPi.exe (66617 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\OXKQdheGPi.exe (0 bytes)

Registry activity

The process RegSvcs.exe:3396 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"audioHQdriver" = "C:\Users\"%CurrentUserName%"\AppData\Local\audioHQdriver\audioHQdriver.exe"

The process %original file name%.exe:1796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
nni.no-ip.biz	78.31.66.151
dns.msftncsi.com	131.107.255.255

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

j.Yf;

r%f;M

j.Xf;

j.Zf;

PSSSSSSh

Gt.Ht$

.ku`8iu~fiu

kernel32.dll

?#%X.y

GetProcessWindowStation

operator

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is compiled without UTF support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with Unicode property support

\N is not supported in a class

RegDeleteKeyExW

advapi32.dll

Error text not found (please report)

WSOCK32.dll

VERSION.dll

WINMM.dll

COMCTL32.dll

MPR.dll

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

WININET.dll

PSAPI.DLL

IPHLPAPI.DLL

USERENV.dll

UxTheme.dll

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

KERNEL32.dll

OpenWindowStationW

SetProcessWindowStation

CloseWindowStation

MapVirtualKeyW

EnumChildWindows

EnumWindows

VkKeyScanW

GetKeyState

GetKeyboardState

SetKeyboardState

GetAsyncKeyState

keybd_event

EnumThreadWindows

ExitWindowsEx

UnregisterHotKey

RegisterHotKey

GetKeyboardLayoutNameW

USER32.dll

SetViewportOrgEx

GDI32.dll

COMDLG32.dll

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegEnumKeyExW

RegDeleteKeyW

ADVAPI32.dll

ShellExecuteW

SHFileOperationW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

zcÁ

UQ.WP

mI.Us

\.gGL

.FFF<

,.bh9

].Whjj*

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>

? ?$?(?,?0?4?8?

2 2$2(2,2024282

<#<'< </<

4F4s4

4D4C4R4e4u4

2!2%2)2-2125292=2

01s1

2=22393@3[3

?&?-?4?:?

8Ÿ94:

8!9*919<9

> >$>(>,>

? ?$?(?,?0?

/AutoIt3ExecuteScript

/AutoIt3ExecuteLine

CMDLINE

CMDLINERAW

FTPSETPROXY

GUICTRLRECVMSG

GUICTRLSENDMSG

GUIGETMSG

GUIREGISTERMSG

HOTKEYSET

HTTPSETPROXY

HTTPSETUSERAGENT

ISKEYWORD

MAPKEYS

MSGBOX

REGENUMKEY

SHELLEXECUTE

SHELLEXECUTEWAIT

TCPACCEPT

TCPCLOSESOCKET

TCPCONNECT

TCPLISTEN

TCPNAMETOIP

TCPRECV

TCPSEND

TCPSHUTDOWN

TCPSTARTUP

TRAYGETMSG

UDPBIND

UDPCLOSESOCKET

UDPOPEN

UDPRECV

UDPSEND

UDPSHUTDOWN

UDPSTARTUP

SendKeyDownDelay

SendKeyDelay

TCPTimeout

mscoree.dll

combase.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

789:;<=>?

APPSKEY

WINDOWSDIR

AUTOITEXE

HOTKEYPRESSED

%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

KEYS

Line %d:

\\?\UNC\

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

"%s" (%d) : ==> %s:

\??\%s

GUI_RUNDEFMSG

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AUTOIT.ERROR

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

3, 3, 14, 2

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

C:\Users\"%CurrentUserName%"\AppData\Roaming\RDiR.exe

hXXp://VVV.autoitscript.com/autoit3/

AutoIt3.exe

AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.

Missing operator in expression."Unbalanced brackets in expression.

>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.

Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.

3This keyword cannot be used after a "Then" keyword.

0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.

Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.

HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.

String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

RegSvcs.exe_3500:

`.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

MM Operation after uninstall.

Note: To obtain a log file containing detail on memory leaks, enable the "FullDebugMode" and "LogMemoryLeakDetailToFile" conditional defines. To disable this memory leak check, undefine "EnableMemoryLeakReporting".

If you want to use FastMM4, please make sure that FastMM4.pas is the very first unit in the "uses"

section of your project's .dpr file.

FastMM4.pas MUST be the first unit in your project's .dpr file, otherwise memory may be allocated

go into its configuration page and ensure that the FastMM4.pas unit is initialized before any other unit.

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

UhÊ

ssShift

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

Uh%UB

.Owner

EInvalidGraphicOperation

comctl32.dll

USER32.DLL

windows

uxtheme.dll

%s%s%s%s%s%s%s%s%s%s

Proportional

MAPI32.DLL

msShiftSelect

OnKeyDown(

OnKeyPress

OnKeyUp

RICHED32.DLL

TComboBoxExEnumerator

ole32.dll

ssHorizontal

OnKeyUpP7E

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword0

crSQLWait

%s (%s)

imm32.dll

AutoHotkeys

AutoHotkeysL

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState0

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

TsWindowShowMode

user32.dll

colorui.dll

shell32.dll

comdlg32.dll

compstui.dll

inetres.dll

THotKey

1.2.3

Invalid ZStream operation!

msimg32.dll

Cannot load image. %s not supported for %s files.

Cannot load image. Palette in %s file is invalid.

Cannot load image. Invalid or unexpected %s image format.

Cannot load image. CRC error found in %s file.

Cannot load image. Extra compressed data found in %s file.

Cannot load image. Compression error found in %s file.

Invalid color format in %s file.

3333333

Conversion between indexed and non-indexed pixel formats is not supported.

Portable network graphics (AlphaControls)

TsShowTimer|

TsShowTimer4

TacMDIWnd

Uh.lM

gdi32.dll

TsShadowMode

TsWebLabel

TsShadow

TsShadow8XP

WEBBUTTON

PROGRESSH

TacMenuSupport

TacMenuSupportp

Webdings

TAddItemExEvent

DWMAPI.DLL

acMDIIcons

 |$(;<$}?

TsShellTreeViewT#T

TsShellTreeView4"T

OnKeyUpL

Unable to retrieve folder details for "%s". Error code $%x

Error Setting Path: %s

%s: Missing call to LoadColumnDetails

Uh.OT

Rename to %s failed

sShellTreeView1

sShellTreeView1Change

CRASPIPETTE

TacScrollBarsSupport

TacButtonsSupport

TacLabelsSupport

MenuSupport

KeyList

c:\Skins

Options.dat

.JPEG

1.tmp

Please, update skins to latest or contact the AlphaControls support for upgrading of existing skin.

This version of the skin has not complete support by used AlphaControls package release.

Secure key has incorrect format

StringFileInfo\%s\%s

FormKeyPress

hXXp://

CachemanControl.exe

%s %d.%d

inflate 1.2.3 Copyright 1995-2005 Mark Adler

If you have a key for this skin, please insert it in the KeyList.

1iu2.iu

333333333333333333

33333833

3333339

3333333333333338

:*"*"$3338

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\cf1\b\f0\fs16 Dedicated to:\par

\pard{\pntext\f1\'B7\tab}{\*\pn\pnlvlblt\pnf1\pnindent0{\pntxtb\'B7}}\fi-142\li142 All the community and friends at \cf2\b nsaneforums.com\cf1\b0\par

\b0 If you can afford it, please BUY IT. Your support allow developers to create better software.\b\par

{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\cf1\b\i\f0\fs16 NOTE: Always run this patch as Admin!\par

KWindows

UrlMon

%sPopupClndr

Font.Charset

Font.Color

Font.Height

Font.Name

Font.Style

Shadow.OffsetKeeper.LeftTop

Shadow.OffsetKeeper.RightBottom

VVV.nsaneforums.com

HoverFont.Charset

HoverFont.Color

HoverFont.Height

HoverFont.Name

HoverFont.Style

Picture.Data

SkinData.SkinSection

Kind.KindType

Shadow.Mode

SkinData.CustomFont

AddedTitle.Font.Charset

AddedTitle.Font.Color

AddedTitle.Font.Height

AddedTitle.Font.Name

AddedTitle.Font.Style

]!!!9%%%

TVVGegg`qss`uww`vxx`wyy`wyy`wyy`wyy`wyy`wyy`wyy`wyy`wyy`wyy`wyy`wyy`wyy`wyy`wyy`uww`moo`[]]]QSS%UWW

QSS.PRRQQSS`RTTqRTT

UWW.RTTMQSSEQSSCQSSCQSSCQSSNUWW UWW

MPPoRTT

OQQ1IKK/IKK.IKK.IKK.KMM3UWW

cacheman.outertech.com

SkinData.ColorTone

iRight click here and use <br>the context menu to<br>switch between <b>Info</b><br>and <b>Log</b> windows.

Effects.AllowOuterEffects

AnimEffects.BlendOnMoving.Active

AnimEffects.FormShow.Time

AnimEffects.FormShow.Mode

AnimEffects.FormHide.Time

AnimEffects.FormHide.Mode

AnimEffects.Minimizing.Time

OPTIONS.DAT

B%sB;%

BUTTONHUGE.BMP6

`}-f}6

.Xnek

`}-f}

MASTER.BMP

S%%%UF

<%XiB

TOPRIGHT.BMPv

iTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:EB9E5EF409DF11E6BED5C1AD800A8E03" xmpMM:InstanceID="xmp.iid:EB9E5EF309DF11E6BED5C1AD800A8E03" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:5CC150B1099911E6AB7BA5052616612D" stRef:documentID="xmp.did:5CC150B2099911E6AB7BA5052616612D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>e}C'

MenuSupport.IcoLineSkin

ICOLINE!MenuSupport.ExtraLineFont.Charset

MenuSupport.ExtraLineFont.Color

clWindowText MenuSupport.ExtraLineFont.Height

MenuSupport.ExtraLineFont.Name

MenuSupport.ExtraLineFont.Style

ThirdParty.ThirdEdits

ThirdParty.ThirdButtons

ThirdParty.ThirdBitBtns

ThirdParty.ThirdCheckBoxes

ThirdParty.ThirdGroupBoxes

ThirdParty.ThirdListViews

ThirdParty.ThirdPanels

ThirdParty.ThirdGrids

ThirdParty.ThirdTreeViews

ThirdParty.ThirdComboBoxes

ThirdParty.ThirdWWEdits

ThirdParty.ThirdVirtualTrees

ThirdParty.ThirdGridEh

ThirdParty.ThirdPageControl

ThirdParty.ThirdTabControl

ThirdParty.ThirdToolBar

ThirdParty.ThirdStatusBar

ThirdParty.ThirdSpeedButton

ThirdParty.ThirdScrollControl

ThirdParty.ThirdUpDown

ThirdParty.ThirdScrollBar

ThirdParty.ThirdStaticText

ThirdParty.ThirdNativePaint

ImageDefault.ImageHeight

ImageDefault.ImageWidth

ImageDefault.ClientMargins.Top

ImageDefault.ClientMargins.Left

!ImageDefault.ClientMargins.Bottom

ImageDefault.ClientMargins.Right

ImageDefault.BordersWidths.Top

ImageDefault.BordersWidths.Left

!ImageDefault.BordersWidths.Bottom

ImageDefault.BordersWidths.Right

ImageDefault.ShadowSizes.Top

ImageDefault.ShadowSizes.Left

ImageDefault.ShadowSizes.Bottom

ImageDefault.ShadowSizes.Right

ImageDefault.ImgData

Img_LeftBottom.ImageHeight

Img_LeftBottom.ImageWidth

Img_LeftBottom.ClientMargins.Top

!Img_LeftBottom.ClientMargins.Left

#Img_LeftBottom.ClientMargins.Bottom

"Img_LeftBottom.ClientMargins.Right

Img_LeftBottom.BordersWidths.Top

!Img_LeftBottom.BordersWidths.Left

##Img_LeftBottom.BordersWidths.Bottom

"Img_LeftBottom.BordersWidths.Right

Img_LeftBottom.ShadowSizes.Top

Img_LeftBottom.ShadowSizes.Left

!Img_LeftBottom.ShadowSizes.Bottom

Img_LeftBottom.ShadowSizes.Right

Img_LeftBottom.ImgData

86K%S

Img_RightBottom.ImageHeight

Img_RightBottom.ImageWidth

!Img_RightBottom.ClientMargins.Top

"Img_RightBottom.ClientMargins.Left

$Img_RightBottom.ClientMargins.Bottom

#Img_RightBottom.ClientMargins.Right

!Img_RightBottom.BordersWidths.Top

"Img_RightBottom.BordersWidths.Left

$Img_RightBottom.BordersWidths.Bottom

#Img_RightBottom.BordersWidths.Right

Img_RightBottom.ShadowSizes.Top

Img_RightBottom.ShadowSizes.Left

"Img_RightBottom.ShadowSizes.Bottom

!Img_RightBottom.ShadowSizes.Right

Img_RightBottom.ImgData

.IDATx

Img_RightTop.ImageHeight

Img_RightTop.ImageWidth

Img_RightTop.ClientMargins.Top

Img_RightTop.ClientMargins.Left

!Img_RightTop.ClientMargins.Bottom

Img_RightTop.ClientMargins.Right

Img_RightTop.BordersWidths.Top

Img_RightTop.BordersWidths.Left

!Img_RightTop.BordersWidths.Bottom

Img_RightTop.BordersWidths.Right

Img_RightTop.ShadowSizes.Top

Img_RightTop.ShadowSizes.Left

Img_RightTop.ShadowSizes.Bottom

Img_RightTop.ShadowSizes.Right

Img_RightTop.ImgData

Constraints.MinHeight

Constraints.MinWidth

TsShellTreeView

BoundLabel.Active

BoundLabel.Caption

BoundLabel.Indent

BoundLabel.Layout

BoundLabel.MaxWidth

BoundLabel.UseSkinColor

VertScrollBar.Tracking

Constraints.MaxHeight

Constraints.MaxWidth

Glyph.Data

GlyphMode.Blend

GlyphMode.Grayed

Colors.Strings

sEditHexKeyPress

Brush.Color

Pen.Color

Pen.Width

GetCPInfo

RegOpenKeyExA

RegFlushKey

RegCreateKeyExA

RegCloseKey

SetViewportOrgEx

GetViewportOrgEx

ShellExecuteExA

ShellExecuteA

UnhookWindowsHookEx

SetWindowsHookExA

MsgWaitForMultipleObjects

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

EnumWindows

EnumThreadWindows

EnumChildWindows

ActivateKeyboardLayout

GetKeyboardType

.idata

.rdata

P.reloc

P.rsrc

LMsg]

Z%U]\6

.qvx|||yR..:5)

5Pqzuqlf9%C

%%%Xggg

{{{~000%

%%%xrll

$%%%sfff

name="Cacheman.10.x.Patch"

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel

<!-- Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!-- Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!-- Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!-- Windows 8.1 -->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<!-- Windows 10 -->

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

<windowsSettings>

<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

</windowsSettings>

KERNEL32.DLL

advapi32.dll

IMAGEHLP.DLL

version.dll

winspool.drv

Add to custom colors set8Listbox (%s) style must be virtual in order to set Count

Error setting %s.Count

Target file: %s

[FAIL],File already patched or unsupported version!MCan't open file! Maybe is in use or you don't have access rights to the file.

Can't open file "%s". Maybe is in use or you don't

- Any anti-virus/anti-malware software is disabled.'File "%s" not found in selected folder!

[ %s - PATCH END ]

[ %s - PATCH START ]

JPEG error #%d

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters.Cannot change the size of a memory-mapped file

"%s" is not a valid PE file!

Cannot create process: %s

Can't create backup file! - %s

Failed to Save Stream=This control requires version 4.70 or greater of COMCTL32.DLL

No help keyword specified.&Cannot change the size of a JPEG image

No help found for %s#No context-sensitive help installed$No topic-based help system installed

Invalid clipboard format Clipboard does not support Icons

Text exceeds memo capacity.There is no default printer currently selected/Menu '%s' is already being used by another form

%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active*A control cannot have itself as its parent

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

$%s not in a class registration group

Property %s does not exist

Thread creation error: %s

Thread Error: %s (%d)

Unsupported clipboard format

Invalid property element: %s

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to get data for '%s'

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

Operation not supported

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

Invalid variant operation

Invalid NULL variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

1.1.0.0

RegSvcs.exe_3500_rwx_00400000_00206000:

`.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

MM Operation after uninstall.

Note: To obtain a log file containing detail on memory leaks, enable the "FullDebugMode" and "LogMemoryLeakDetailToFile" conditional defines. To disable this memory leak check, undefine "EnableMemoryLeakReporting".

If you want to use FastMM4, please make sure that FastMM4.pas is the very first unit in the "uses"

section of your project's .dpr file.

FastMM4.pas MUST be the first unit in your project's .dpr file, otherwise memory may be allocated

go into its configuration page and ensure that the FastMM4.pas unit is initialized before any other unit.

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

UhÊ

ssShift

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

Uh%UB

.Owner

EInvalidGraphicOperation

comctl32.dll

USER32.DLL

windows

uxtheme.dll

%s%s%s%s%s%s%s%s%s%s

Proportional

MAPI32.DLL

msShiftSelect

OnKeyDown(

OnKeyPress

OnKeyUp

RICHED32.DLL

TComboBoxExEnumerator

ole32.dll

ssHorizontal

OnKeyUpP7E

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword0

crSQLWait

%s (%s)

imm32.dll

AutoHotkeys

AutoHotkeysL

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState0

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

TsWindowShowMode

user32.dll

colorui.dll

shell32.dll

comdlg32.dll

compstui.dll

inetres.dll

THotKey

1.2.3

Invalid ZStream operation!

msimg32.dll

Cannot load image. %s not supported for %s files.

Cannot load image. Palette in %s file is invalid.

Cannot load image. Invalid or unexpected %s image format.

Cannot load image. CRC error found in %s file.

Cannot load image. Extra compressed data found in %s file.

Cannot load image. Compression error found in %s file.

Invalid color format in %s file.

3333333

Conversion between indexed and non-indexed pixel formats is not supported.

Portable network graphics (AlphaControls)

TsShowTimer|

TsShowTimer4

TacMDIWnd

Uh.lM

gdi32.dll

TsShadowMode

TsWebLabel

TsShadow

TsShadow8XP

WEBBUTTON

PROGRESSH

TacMenuSupport

TacMenuSupportp

Webdings

TAddItemExEvent

DWMAPI.DLL

acMDIIcons

 |$(;<$}?

TsShellTreeViewT#T

TsShellTreeView4"T

OnKeyUpL

Unable to retrieve folder details for "%s". Error code $%x

Error Setting Path: %s

%s: Missing call to LoadColumnDetails

Uh.OT

Rename to %s failed

sShellTreeView1

sShellTreeView1Change

CRASPIPETTE

TacScrollBarsSupport

TacButtonsSupport

TacLabelsSupport

MenuSupport

KeyList

c:\Skins

Options.dat

.JPEG

1.tmp

Please, update skins to latest or contact the AlphaControls support for upgrading of existing skin.

This version of the skin has not complete support by used AlphaControls package release.

Secure key has incorrect format

StringFileInfo\%s\%s

FormKeyPress

hXXp://

CachemanControl.exe

%s %d.%d

inflate 1.2.3 Copyright 1995-2005 Mark Adler

If you have a key for this skin, please insert it in the KeyList.

1iu2.iu

333333333333333333

33333833

3333339

3333333333333338

:*"*"$3338

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\cf1\b\f0\fs16 Dedicated to:\par

\pard{\pntext\f1\'B7\tab}{\*\pn\pnlvlblt\pnf1\pnindent0{\pntxtb\'B7}}\fi-142\li142 All the community and friends at \cf2\b nsaneforums.com\cf1\b0\par

\b0 If you can afford it, please BUY IT. Your support allow developers to create better software.\b\par

{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\cf1\b\i\f0\fs16 NOTE: Always run this patch as Admin!\par

KWindows

UrlMon

%sPopupClndr

Font.Charset

Font.Color

Font.Height

Font.Name

Font.Style

Shadow.OffsetKeeper.LeftTop

Shadow.OffsetKeeper.RightBottom

VVV.nsaneforums.com

HoverFont.Charset

HoverFont.Color

HoverFont.Height

HoverFont.Name

HoverFont.Style

Picture.Data

SkinData.SkinSection

Kind.KindType

Shadow.Mode

SkinData.CustomFont

AddedTitle.Font.Charset

AddedTitle.Font.Color

AddedTitle.Font.Height

AddedTitle.Font.Name

AddedTitle.Font.Style

]!!!9%%%

TVVGegg`qss`uww`vxx`wyy`wyy`wyy`wyy`wyy`wyy`wyy`wyy`wyy`wyy`wyy`wyy`wyy`wyy`wyy`uww`moo`[]]]QSS%UWW

QSS.PRRQQSS`RTTqRTT

UWW.RTTMQSSEQSSCQSSCQSSCQSSNUWW UWW

MPPoRTT

OQQ1IKK/IKK.IKK.IKK.KMM3UWW

cacheman.outertech.com

SkinData.ColorTone

iRight click here and use <br>the context menu to<br>switch between <b>Info</b><br>and <b>Log</b> windows.

Effects.AllowOuterEffects

AnimEffects.BlendOnMoving.Active

AnimEffects.FormShow.Time

AnimEffects.FormShow.Mode

AnimEffects.FormHide.Time

AnimEffects.FormHide.Mode

AnimEffects.Minimizing.Time

OPTIONS.DAT

B%sB;%

BUTTONHUGE.BMP6

`}-f}6

.Xnek

`}-f}

MASTER.BMP

S%%%UF

<%XiB

TOPRIGHT.BMPv

iTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:EB9E5EF409DF11E6BED5C1AD800A8E03" xmpMM:InstanceID="xmp.iid:EB9E5EF309DF11E6BED5C1AD800A8E03" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:5CC150B1099911E6AB7BA5052616612D" stRef:documentID="xmp.did:5CC150B2099911E6AB7BA5052616612D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>e}C'

MenuSupport.IcoLineSkin

ICOLINE!MenuSupport.ExtraLineFont.Charset

MenuSupport.ExtraLineFont.Color

clWindowText MenuSupport.ExtraLineFont.Height

MenuSupport.ExtraLineFont.Name

MenuSupport.ExtraLineFont.Style

ThirdParty.ThirdEdits

ThirdParty.ThirdButtons

ThirdParty.ThirdBitBtns

ThirdParty.ThirdCheckBoxes

ThirdParty.ThirdGroupBoxes

ThirdParty.ThirdListViews

ThirdParty.ThirdPanels

ThirdParty.ThirdGrids

ThirdParty.ThirdTreeViews

ThirdParty.ThirdComboBoxes

ThirdParty.ThirdWWEdits

ThirdParty.ThirdVirtualTrees

ThirdParty.ThirdGridEh

ThirdParty.ThirdPageControl

ThirdParty.ThirdTabControl

ThirdParty.ThirdToolBar

ThirdParty.ThirdStatusBar

ThirdParty.ThirdSpeedButton

ThirdParty.ThirdScrollControl

ThirdParty.ThirdUpDown

ThirdParty.ThirdScrollBar

ThirdParty.ThirdStaticText

ThirdParty.ThirdNativePaint

ImageDefault.ImageHeight

ImageDefault.ImageWidth

ImageDefault.ClientMargins.Top

ImageDefault.ClientMargins.Left

!ImageDefault.ClientMargins.Bottom

ImageDefault.ClientMargins.Right

ImageDefault.BordersWidths.Top

ImageDefault.BordersWidths.Left

!ImageDefault.BordersWidths.Bottom

ImageDefault.BordersWidths.Right

ImageDefault.ShadowSizes.Top

ImageDefault.ShadowSizes.Left

ImageDefault.ShadowSizes.Bottom

ImageDefault.ShadowSizes.Right

ImageDefault.ImgData

Img_LeftBottom.ImageHeight

Img_LeftBottom.ImageWidth

Img_LeftBottom.ClientMargins.Top

!Img_LeftBottom.ClientMargins.Left

#Img_LeftBottom.ClientMargins.Bottom

"Img_LeftBottom.ClientMargins.Right

Img_LeftBottom.BordersWidths.Top

!Img_LeftBottom.BordersWidths.Left

##Img_LeftBottom.BordersWidths.Bottom

"Img_LeftBottom.BordersWidths.Right

Img_LeftBottom.ShadowSizes.Top

Img_LeftBottom.ShadowSizes.Left

!Img_LeftBottom.ShadowSizes.Bottom

Img_LeftBottom.ShadowSizes.Right

Img_LeftBottom.ImgData

86K%S

Img_RightBottom.ImageHeight

Img_RightBottom.ImageWidth

!Img_RightBottom.ClientMargins.Top

"Img_RightBottom.ClientMargins.Left

$Img_RightBottom.ClientMargins.Bottom

#Img_RightBottom.ClientMargins.Right

!Img_RightBottom.BordersWidths.Top

"Img_RightBottom.BordersWidths.Left

$Img_RightBottom.BordersWidths.Bottom

#Img_RightBottom.BordersWidths.Right

Img_RightBottom.ShadowSizes.Top

Img_RightBottom.ShadowSizes.Left

"Img_RightBottom.ShadowSizes.Bottom

!Img_RightBottom.ShadowSizes.Right

Img_RightBottom.ImgData

.IDATx

Img_RightTop.ImageHeight

Img_RightTop.ImageWidth

Img_RightTop.ClientMargins.Top

Img_RightTop.ClientMargins.Left

!Img_RightTop.ClientMargins.Bottom

Img_RightTop.ClientMargins.Right

Img_RightTop.BordersWidths.Top

Img_RightTop.BordersWidths.Left

!Img_RightTop.BordersWidths.Bottom

Img_RightTop.BordersWidths.Right

Img_RightTop.ShadowSizes.Top

Img_RightTop.ShadowSizes.Left

Img_RightTop.ShadowSizes.Bottom

Img_RightTop.ShadowSizes.Right

Img_RightTop.ImgData

Constraints.MinHeight

Constraints.MinWidth

TsShellTreeView

BoundLabel.Active

BoundLabel.Caption

BoundLabel.Indent

BoundLabel.Layout

BoundLabel.MaxWidth

BoundLabel.UseSkinColor

VertScrollBar.Tracking

Constraints.MaxHeight

Constraints.MaxWidth

Glyph.Data

GlyphMode.Blend

GlyphMode.Grayed

Colors.Strings

sEditHexKeyPress

Brush.Color

Pen.Color

Pen.Width

GetCPInfo

RegOpenKeyExA

RegFlushKey

RegCreateKeyExA

RegCloseKey

SetViewportOrgEx

GetViewportOrgEx

ShellExecuteExA

ShellExecuteA

UnhookWindowsHookEx

SetWindowsHookExA

MsgWaitForMultipleObjects

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

EnumWindows

EnumThreadWindows

EnumChildWindows

ActivateKeyboardLayout

GetKeyboardType

.idata

.rdata

P.reloc

P.rsrc

LMsg]

Z%U]\6

.qvx|||yR..:5)

5Pqzuqlf9%C

%%%Xggg

{{{~000%

%%%xrll

$%%%sfff

name="Cacheman.10.x.Patch"

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel

<!-- Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!-- Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!-- Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!-- Windows 8.1 -->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<!-- Windows 10 -->

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

<windowsSettings>

<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

</windowsSettings>

KERNEL32.DLL

advapi32.dll

IMAGEHLP.DLL

version.dll

winspool.drv

Add to custom colors set8Listbox (%s) style must be virtual in order to set Count

Error setting %s.Count

Target file: %s

[FAIL],File already patched or unsupported version!MCan't open file! Maybe is in use or you don't have access rights to the file.

Can't open file "%s". Maybe is in use or you don't

- Any anti-virus/anti-malware software is disabled.'File "%s" not found in selected folder!

[ %s - PATCH END ]

[ %s - PATCH START ]

JPEG error #%d

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters.Cannot change the size of a memory-mapped file

"%s" is not a valid PE file!

Cannot create process: %s

Can't create backup file! - %s

Failed to Save Stream=This control requires version 4.70 or greater of COMCTL32.DLL

No help keyword specified.&Cannot change the size of a JPEG image

No help found for %s#No context-sensitive help installed$No topic-based help system installed

Invalid clipboard format Clipboard does not support Icons

Text exceeds memo capacity.There is no default printer currently selected/Menu '%s' is already being used by another form

%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active*A control cannot have itself as its parent

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

$%s not in a class registration group

Property %s does not exist

Thread creation error: %s

Thread Error: %s (%d)

Unsupported clipboard format

Invalid property element: %s

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to get data for '%s'

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

Operation not supported

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

Invalid variant operation

Invalid NULL variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

1.1.0.0

RegSvcs.exe_3396:

t.CeAPKN

X l.dlT

v2.0.50727

3.exe

System.Runtime.CompilerServices

.ctor

System.Reflection

.cctor

kernel32.dll

System.Threading

System.IO

Microsoft.VisualBasic

Microsoft.VisualBasic.ApplicationServices

Microsoft.VisualBasic.Devices

get_WebServices

MyWebServices

System.Diagnostics

System.Net.Sockets

System.Drawing

System.Text

System.Windows.Forms

System.Net

System.Resources

System.Drawing.Imaging

System.Collections.Generic

System.Runtime.InteropServices

winmm.dll

System.Collections.ObjectModel

SetThreadExecutionState

GetExtendedTcpTable

IPHLPAPI.dll

GetExtendedUdpTable

SetTcpEntry

iphlpapi.dll

wsock32.dll

user32.dll

EnumWindows

User32.dll

msvcrt.dll

keybd_event

MapVirtualKey

advapi32.dll

System.Security.AccessControl

System.ComponentModel

SocketAsyncOperation

KeyboardInput

Webcam

Keylogger

TcpConnections

PasswordRecovery

Website

ChangeEncryptionKey

SubKeyList

PasswordRecoveryPacket

TcpConnectionPacket

dlExecute

StopCmd

CmdIn

KeyLoggerPacket

WebcamPacket

WebcamSocket

Windows

KeyEventArgs

KeyEventHandler

Keys

Microsoft.VisualBasic.MyServices

WebClient

shell32.dll

OperatingSystem

System.Collections

RegistryKey

Microsoft.Win32

ProcessWindowStyle

System.IO.Compression

ntdll.dll

KeyboardHook

KeyDownEventHandler

Crypt32.dll

System.Text.RegularExpressions

WebcamClient

AForge.Video.DirectShow

get_WebcamClient

set_WebcamClient

AForge.Video

System.Security.Cryptography

System.Collections.Specialized

get_SupportsIPv6Addresses

set_SupportsIPv6Addresses

get_SupportsCommandConnect

set_SupportsCommandConnect

get_SupportsCommandBind

set_SupportsCommandBind

get_SupportsCommandAssociate

set_SupportsCommandAssociate

System.Security.Principal

WebRequest

HttpWebRequest

IWebProxy

WebResponse

HttpWebResponse

WindowsIdentity

WindowsPrincipal

WindowsBuiltInRole

System.Management

System.Net.NetworkInformation

System.Globalization

System.CodeDom.Compiler

Microsoft.VisualBasic.CompilerServices

HelpKeywordAttribute

System.ComponentModel.Design

System.Security

115b7917-3f0b-45c4-bdae-cc26f0d73a25.resources

67f7d3a6-57f6-4fde-9c49-039d736dc940.resources

787df9a5-7602-4bad-a87c-e13d7305e884.resources

76b16c5f-f8c3-4b90-bb06-9d3ad0a05180.resources

dc8343e1-712d-4121-b2f3-8f04c5b86d01.resources

get_ExecutablePath

Operators

GetExecutingAssembly

get_LastOperation

ContainsKey

add_KeyDown

get_KeyCode

set_SuppressKeyPress

InvalidOperationException

OpenSubKey

GetSubKeyNames

set_UseShellExecute

set_WindowStyle

CopyPixelOperation

remove_KeyDown

ConfuserEx v0.1.0-custom

1.0.0.0

8.0.0.0

My.Computer

My.Application

My.User

My.WebServices

4System.Web.Services.Protocols.SoapHttpClientProtocol

nni.no-ip.biz

Operating System: {0}

Failed to reset encryption key

dc8343e1-712d-4121-b2f3-8f04c5b86d01

115b7917-3f0b-45c4-bdae-cc26f0d73a25

d1144f80-89f9-41ee-8936-ddf64f4269d2

9537bf89-0ff3-4f87-a0d7-955c91b4b104

76b16c5f-f8c3-4b90-bb06-9d3ad0a05180

725fdfb8-cfd9-4922-8719-ef29733d1c57

998877665544332211

19f4c463-c572-4c74-8787-d4a8e36cc01b

ee4ae134-85f6-4e24-a4a1-28499c6bf180

67f7d3a6-57f6-4fde-9c49-039d736dc940

787df9a5-7602-4bad-a87c-e13d7305e884

data.Length: {0} SendIndex: {1} _BufferSize: {2} Offset: {3}

File downloaded & executed

SAPI.spvoice

{0}\{1}{2}

.html

Failed to load SubKeys

Software\Microsoft\Windows\CurrentVersion\RunOnce

Software\Microsoft\Windows\CurrentVersion\Run

\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

cmd.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

\\.\DISPLAY1

origin_url

\Google\Chrome\User Data\Default\Login Data

logins

password_value

Google Chrome

Mozilla Firefox\

logins.json

Mozilla\Firefox\Profiles

Mozilla Firefox

"encryptedPassword":".*",

Password: {3}

SQLite format 3

nspr4.dll

mozsqlite3.dll

plds4.dll

ssutil3.dll

mozglue.dll

\nss3.dll

sqlite3.dll

plc4.dll

nssutil3.dll

msvcp100.dll

mozcrt19.dll

msvcr100.dll

PK11_GetInternalKeySlot

\uTorrent\uTorrent.exe

\BitTorrent\bittorrent.exe

\BitTorrent\BitTorrent.exe

\Vuze\Azureus.exe

audioHQdriver.exe

3af4c87a-6a9c-4bb3-8378-969113eb63a5

Port = {0}

{0}\{1}\{2}

\Imminent\Path.dat

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

client.log

/C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "

:Zone.Identifier

taskmgr.exe

/C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "

application/x-www-form-urlencoded

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36

NICK

ClientLoaderForm.resources

JOIN

PRIVMSG

BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|

cmemoryexecute

Keylogger.

Spyware.NanoCore

Spyware.DarkComet

File could not be removed, removing key

HKEY_CURRENT_USER

Key removed

HKEY_LOCAL_MACHINE

Key could not be removed

HKEY_CURRENT_USER\

HKEY_LOCAL_MACHINE\

winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2

winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter

[{0}] {1}

\Imminent\Geo.dat

hXXp://VVV.iptrackeronline.com/

sampleKey

RegSvcs.exe_3396_rwx_00070000_0005E000:

t.CeAPKN

X l.dlT

v2.0.50727

3.exe

System.Runtime.CompilerServices

.ctor

System.Reflection

.cctor

kernel32.dll

System.Threading

System.IO

Microsoft.VisualBasic

Microsoft.VisualBasic.ApplicationServices

Microsoft.VisualBasic.Devices

get_WebServices

MyWebServices

System.Diagnostics

System.Net.Sockets

System.Drawing

System.Text

System.Windows.Forms

System.Net

System.Resources

System.Drawing.Imaging

System.Collections.Generic

System.Runtime.InteropServices

winmm.dll

System.Collections.ObjectModel

SetThreadExecutionState

GetExtendedTcpTable

IPHLPAPI.dll

GetExtendedUdpTable

SetTcpEntry

iphlpapi.dll

wsock32.dll

user32.dll

EnumWindows

User32.dll

msvcrt.dll

keybd_event

MapVirtualKey

advapi32.dll

System.Security.AccessControl

System.ComponentModel

SocketAsyncOperation

KeyboardInput

Webcam

Keylogger

TcpConnections

PasswordRecovery

Website

ChangeEncryptionKey

SubKeyList

PasswordRecoveryPacket

TcpConnectionPacket

dlExecute

StopCmd

CmdIn

KeyLoggerPacket

WebcamPacket

WebcamSocket

Windows

KeyEventArgs

KeyEventHandler

Keys

Microsoft.VisualBasic.MyServices

WebClient

shell32.dll

OperatingSystem

System.Collections

RegistryKey

Microsoft.Win32

ProcessWindowStyle

System.IO.Compression

ntdll.dll

KeyboardHook

KeyDownEventHandler

Crypt32.dll

System.Text.RegularExpressions

WebcamClient

AForge.Video.DirectShow

get_WebcamClient

set_WebcamClient

AForge.Video

System.Security.Cryptography

System.Collections.Specialized

get_SupportsIPv6Addresses

set_SupportsIPv6Addresses

get_SupportsCommandConnect

set_SupportsCommandConnect

get_SupportsCommandBind

set_SupportsCommandBind

get_SupportsCommandAssociate

set_SupportsCommandAssociate

System.Security.Principal

WebRequest

HttpWebRequest

IWebProxy

WebResponse

HttpWebResponse

WindowsIdentity

WindowsPrincipal

WindowsBuiltInRole

System.Management

System.Net.NetworkInformation

System.Globalization

System.CodeDom.Compiler

Microsoft.VisualBasic.CompilerServices

HelpKeywordAttribute

System.ComponentModel.Design

System.Security

115b7917-3f0b-45c4-bdae-cc26f0d73a25.resources

67f7d3a6-57f6-4fde-9c49-039d736dc940.resources

787df9a5-7602-4bad-a87c-e13d7305e884.resources

76b16c5f-f8c3-4b90-bb06-9d3ad0a05180.resources

dc8343e1-712d-4121-b2f3-8f04c5b86d01.resources

get_ExecutablePath

Operators

GetExecutingAssembly

get_LastOperation

ContainsKey

add_KeyDown

get_KeyCode

set_SuppressKeyPress

InvalidOperationException

OpenSubKey

GetSubKeyNames

set_UseShellExecute

set_WindowStyle

CopyPixelOperation

remove_KeyDown

ConfuserEx v0.1.0-custom

1.0.0.0

8.0.0.0

My.Computer

My.Application

My.User

My.WebServices

4System.Web.Services.Protocols.SoapHttpClientProtocol

nni.no-ip.biz

Operating System: {0}

Failed to reset encryption key

dc8343e1-712d-4121-b2f3-8f04c5b86d01

115b7917-3f0b-45c4-bdae-cc26f0d73a25

d1144f80-89f9-41ee-8936-ddf64f4269d2

9537bf89-0ff3-4f87-a0d7-955c91b4b104

76b16c5f-f8c3-4b90-bb06-9d3ad0a05180

725fdfb8-cfd9-4922-8719-ef29733d1c57

998877665544332211

19f4c463-c572-4c74-8787-d4a8e36cc01b

ee4ae134-85f6-4e24-a4a1-28499c6bf180

67f7d3a6-57f6-4fde-9c49-039d736dc940

787df9a5-7602-4bad-a87c-e13d7305e884

data.Length: {0} SendIndex: {1} _BufferSize: {2} Offset: {3}

File downloaded & executed

SAPI.spvoice

{0}\{1}{2}

.html

Failed to load SubKeys

Software\Microsoft\Windows\CurrentVersion\RunOnce

Software\Microsoft\Windows\CurrentVersion\Run

\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

cmd.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

\\.\DISPLAY1

origin_url

\Google\Chrome\User Data\Default\Login Data

logins

password_value

Google Chrome

Mozilla Firefox\

logins.json

Mozilla\Firefox\Profiles

Mozilla Firefox

"encryptedPassword":".*",

Password: {3}

SQLite format 3

nspr4.dll

mozsqlite3.dll

plds4.dll

ssutil3.dll

mozglue.dll

\nss3.dll

sqlite3.dll

plc4.dll

nssutil3.dll

msvcp100.dll

mozcrt19.dll

msvcr100.dll

PK11_GetInternalKeySlot

\uTorrent\uTorrent.exe

\BitTorrent\bittorrent.exe

\BitTorrent\BitTorrent.exe

\Vuze\Azureus.exe

audioHQdriver.exe

3af4c87a-6a9c-4bb3-8378-969113eb63a5

Port = {0}

{0}\{1}\{2}

\Imminent\Path.dat

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

client.log

/C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "

:Zone.Identifier

taskmgr.exe

/C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "

application/x-www-form-urlencoded

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36

NICK

ClientLoaderForm.resources

JOIN

PRIVMSG

BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|

cmemoryexecute

Keylogger.

Spyware.NanoCore

Spyware.DarkComet

File could not be removed, removing key

HKEY_CURRENT_USER

Key removed

HKEY_LOCAL_MACHINE

Key could not be removed

HKEY_CURRENT_USER\

HKEY_LOCAL_MACHINE\

winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2

winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter

[{0}] {1}

\Imminent\Geo.dat

hXXp://VVV.iptrackeronline.com/

sampleKey

RegSvcs.exe_3396_rwx_00220000_0000C000:

l.dlf

.Mti3

SearchProtocolHost.exe_3572:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

MSSHooks.dll

IMM32.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSPortManager

SrchPHHttp

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerSchema

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

</MSG></TRC>

<MSG>

<ERR> 0xx=

<LOC> %s(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%s"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

PROPSYS.dll

ntdll.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

2 2(20282|2

4%5S5

Software\Microsoft\Windows Search

https

kernel32.dll

msTracer.dll

msfte.dll

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

tquery.dll

%s\%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<LOC> %S(%d) </LOC>

tagname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

Windows

7.00.7601.17610

SearchFilterHost.exe_2348:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

IMM32.dll

MSSHooks.dll

mscoree.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

SearchFilterHost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

<requestedExecutionLevel

3 3(30383|3

kernel32.dll

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

tquery.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<ERR> 0xx=

<LOC> %S(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%S"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%S"

</MSG></TRC>

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

winhttp.dll

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

Windows

7.00.7601.17610

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   OXKQdheGPi.exe:3408
   RDiR.exe:3360
   %original file name%.exe:1796

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ykwxeum (392 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\RDiR.exe (1874 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1BF8.tmp (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\ecFfA.au3 (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CfdSACDBWJVW.lnk (846 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Imminent\Logs\03-11-2016 (354 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\audioHQdriver\audioHQdriver.exe (44 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\OXKQdheGPi.exe (66617 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "audioHQdriver" = "C:\Users\"%CurrentUserName%"\AppData\Local\audioHQdriver\audioHQdriver.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   "wextract_cleanup0" = "rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.