MD5: 60f836d28e71f67b31abbfcec68e42d9
SHA1: f3c30bb1f00b732ab27670a95a35a6b215ff44e5
SHA256: 0af04d814969c41b4b3b670016471fc71ab8a4f2691a1dd6651dd81782bf48b0
SSDeep: 24576:0lXAjdHVo5QwThNIlzjXrElUVDJkoXUw4FXz5uxN8IivaEsfmMo0y:kQeXMjXriEDGokjXNugIivrs MoB
Size: 1141248 bytes
File type: EXE
Platform: WIN32
Entropy: Probably Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-05-10 00:31:38
Analyzed on: WindowsXP SP3 32-bit

Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

loaywha.exe:1588
loaywha.exe:1512
gxzohti5sgiuq.exe:4620
gxzohtiiegiuq.exe:5808
%original file name%.exe:2076
gxzohthr7aiuqbghrkmh7.exe:1216
gxzohthxkgiuq.exe:5108
bwefqqmkhnd.exe:4144
bwefqqmkhnd.exe:496

The Trojan injects its code into the following process(es):

jhwin32friea.exe:4328

File activity

The process loaywha.exe:1588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\ifaadyspb\tst (10 bytes)

The process loaywha.exe:1512 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\ifaadyspb\tst (10 bytes)

The process gxzohti5sgiuq.exe:4620 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\ifaadyspb\tst (10 bytes)

The process %original file name%.exe:2076 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\gxzohthr7aiuqbghrkmh7.exe (7386 bytes)
%System%\ifaadyspb\tst (10 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\gxzohthr7aiuqbghrkmh7.exe (0 bytes)

The process gxzohthr7aiuqbghrkmh7.exe:1216 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\ifaadyspb\tst (10 bytes)
%System%\ifaadyspb\etc (10 bytes)
%System%\bwefqqmkhnd.exe (7547 bytes)
%System%\drivers\etc\hosts (22 bytes)

The Trojan deletes the following file(s):

%System%\drivers\etc\hosts (0 bytes)

The process bwefqqmkhnd.exe:4144 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\ifaadyspb\tst (10 bytes)

The process bwefqqmkhnd.exe:496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\ifaadyspb\run (10 bytes)
%WinDir%\Temp\gxzohti5sgiuq.exe (7547 bytes)
%WinDir%\Temp\gxzohthxkgiuq.exe (35 bytes)
%System%\ifaadyspb\rng (128 bytes)
%WinDir%\Temp\gxzohti0uiiuq.exe (1940 bytes)
%System%\ifaadyspb\cfg (531 bytes)
%System%\ifaadyspb\aol\zip.exe (10500 bytes)
%System%\jhwin64friea.exe (9540 bytes)
%System%\loaywha.exe (7547 bytes)
%System%\drivers\etc\hosts (726 bytes)
%System%\ifaadyspb\aol\exefile (14580 bytes)
%System%\jhwin32friea.exe (9540 bytes)
%WinDir%\Temp\gxzohtiiegiuq.exe (35 bytes)
%System%\ifaadyspb\ihst (1 bytes)
%System%\ifaadyspb\tst (10 bytes)
%System%\ifaadyspb\por (1 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\gxzohtiiegiuq.exe (0 bytes)
%WinDir%\Temp\gxzohti0uiiuq.exe (0 bytes)
%WinDir%\Temp\gxzohti5sgiuq.exe (0 bytes)
%WinDir%\Temp\gxzohthxkgiuq.exe (0 bytes)

Registry activity

The process gxzohti5sgiuq.exe:4620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F FB 61 71 EB 68 8D DE E0 31 53 07 5E 78 88 02"

The process gxzohtiiegiuq.exe:5808 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B F6 B0 98 0E A4 85 EC 04 A4 C0 2C E2 7F 5D CD"

The process gxzohthr7aiuqbghrkmh7.exe:1216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 F4 53 EC 85 49 5F 68 8F 33 5D 45 3F D6 49 A0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Distributed Launcher" = "%System%\bwefqqmkhnd.exe"

The process jhwin32friea.exe:4328 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF 09 04 A2 AF C6 FB 21 49 72 59 A5 58 B7 39 FE"

The process gxzohthxkgiuq.exe:5108 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 4C 30 49 E0 69 F8 66 2F 37 33 93 AA 62 89 28"

The process bwefqqmkhnd.exe:496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 0B 2A A5 B9 28 D4 BE C3 06 60 88 61 AD F0 8C"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
"FirewallDisableNotify" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%System%\config\systemprofile\Application Data"

[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 726 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://98.139.135.198/index.php?method=post&type=miner_forced&mode=sox&v=029&sox=3c8a4c01&lport=1&rsid=3ccd0000&slots=0&spm=1&adm=1&x64=0&mr=0
hxxp://98.139.135.198/index.php?method=checkport&port=30758&mode=sox&v=029&sox=3c8a4c01&lport=1&rsid=3ccd0000&slots=0&spm=1&adm=1&x64=0&mr=0
hxxp://tablefruit.net/index.php?method=checkport&port=30758&mode=sox&v=029&sox=3c8a4c01&lport=1&rsid=3ccd0000&slots=0&spm=1&adm=1&x64=0&mr=0
relay.ypool.net	128.65.210.247

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /index.php?method=checkport&port=30758&mode=sox&v=029&sox=3c8a4c01&lport=1&rsid=3ccd0000&slots=0&spm=1&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Mon, 19 May 2014 14:27:48 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN C

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

PSSSSSSh

L'

SSSh@

SSShp

SSSh0

a%SVf

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

WS2_32.dll

OLEAUT32.dll

cmd.exe

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

GDI32.dll

GetProcessHeap

KERNEL32.dll

GetKeyboardType

USER32.dll

GetCPInfo

GetConsoleOutputCP

[Exeunt Attendants with THYREUS]

Is now eclipsed; and it portends alone

bwefqqmkhnd.exe

iuq.exe

loaywha.exe

Made him joint-servant with me; gave him way

[Exeunt]

passion came so near the life of passion as she

Why, what effects of passion shows she?

[Exeunt a#

While I, their king, that hither them importune,

her I will execute in the clothes that she so

And others, when the bagpipe sings i' the nose,

pX.Bl

As, thou being mine, mine is thy good report.

To compass such a boundless happiness!

Drawn by report, adventurous by desire,

[Exeunt CARDINAL and HASTINGS]

PORTIA

Last night she enjoined me to write some lines to

That must needs be sport alone;

[Exeunt all but DOMITIUS ENOBARBUS and MENAS]

Making lascivious comments on thy sport,

Naming thy name blesses an ill report.

Some say thy grace is youth and gentle sport;

But, sirrah, you shall buy this sport as dear

Fine linen, Turkey cushions boss'd with pearl,

And all things answerable to this portion.

?1The king's physician: as he pass'd along,

Pray heaven, he sound not my disgrace! For certain,

'Mong boys, grooms, and lackeys. But their pleasures

certain she's old; and had Robin Nightwork by old

6.my grace,

And able horses. No porter at his gate,

All that pass by. It cannot hold: no reason

Importune him for my moneys; be not ceased

Put on a most importunate aspect,

.UQ3sN

O sir, I shall be hated to report it!

[Exeunt PAULINA and Ladies, with HERMIONE]

For, being transported by my jealousies

Of all encertainties himself commended,

And with their faint reply this answer join;

This part of his conjoins with my disease,

What imports the nomination of this gentleman?

The interruption of their churlish drums

I was directed hither: men report

Ay, but the doors be lock'd and keys kept safe,

[Exeunt Citizens]

As I by yours, you've pass'd a hell of time,

But that your trespass now becomes a fee;

Give salutation to my sportive blood?

Were to import forgetfulness in me.

Now, afore God, I am so vexed, that every part about

'Tis holy sport to be a little vain,

Playing patient sports in unconstrained gyves?

held for certain

Have to the port of Athens sent their ships,

And stops her pipe in growth of riper days:

To execute the charge my father gave me

Her blood is settled, and her joints are stiff;

You were kneel'd to and importuned otherwise

[Exeunt POSTHUMUS LEONATUS and Messenger]

To ask of whence you are. Report it.

I see thee compass'd with thy kingdom's pearl,

Who, with a charm join'd to their suffer'd labour,

If opportunity and humblest suit

in several disports. Whereupon the noblemen yielded Collatinus

his passions for the present, departed with the rest back to the

A Porter.

When the hurlyburly's done,

[Exeu

No, not a whit: I find you passing gentle.

And now I find report a very liar;

For thou are pleasant, gamesome, passing courteous,

Why does the world report that Kate doth limp?

'Twould prove the verity of certain words

But lay down our proportions to defend

He's shrewdly vexed at something: look, he has spied us.

[Exeunt BERTRAM, PAROLLES, and army]

Where you shall host: of enjoin'd penitents

endless liar, an hourly promise-breaker, the owner

[Exeunt. Flourish]

me your good report to the prince my master.

Jwx%d

ith this I passion to say

hoof is more musical than the pipe of Hermes.

what marriage is: this fellow will but join you

together as they join wainscot; then one of you will

[Exeunt JAQUES, TOUCHSTONE and AUDREY]

Nay, certainly, there is no truth in him.

nick-name God's creatures, and make your wantonness

[Exeunt all but HAMLET and HORATIO]

A lass unparallel'd. Downy windows, close;

Must bear the same proportion; and not ever

Away with the joint-stools, remove the

the porter let in Susan Grindstone and Nell.

To paly ashes, thy eyes' windows fall,

[Exeunt Ambassadors]

Therefore let our proportions for these wars

[They fight, and certain Volsces come to the aid of

Thou'ldst not believe thy deeds: but I'll report it

Of semblable import,--but he hath waged

A Sea-port in Cyprus. An open place near the quay.

%Cp<8y.r`d

1arched brows, his hawking eye, his curls,

She said so: I must needs report the truth.

It doth import him much to speak with me.

And present execution of our wills

.IkUI

[Exeunt DON JOHN and BORACHIO]

'Tis certain so; the prince wooes for himself.

This is an accident of hourly proof,

[Exeunt FERDINAND, LONGAVILLE, and DUMAIN]

Hath blister'd her report: she is with child;

Whom God hath join'd together; ay, and 'twere pity

Yet, to have join'd with France in such alliance

[Dance. Then exeunt all except DON JOHN, BORACHIO,

that is certain; and of great expedition and

[Exeunt Players]

[Exeunt ROSENCRANTZ and GUILDENSTERN]

>h.NIT

I feel master's passion! this slave,

;((.Uh

>{AB.cX}acW

And I a heavy interim shall support

That my disports corrupt and taint my business,

As doth import you.

Then with a passion would I shake the world;

[Enter FLAVIUS, MARULLUS, and certain Commoners]

I am invited, sir, to certain merchants,

Now she unweaves the web that she hath wrought;

l' passed between you and Claudio.

What! fear not, man, but yield me up the keys;

[Takes his keys]

Portia, forgive me this enforced wrong;

The fearful passage of their death-mark'd love,

On all that need: let me report to him

testimony in your complexion that it was a passion

To pass assurance of a dower in marriage

'Tis passing good: I prithee let me have it.

Whose deadly web ensnareth thee about?

limb or joint, shall pass Pompey the Great; the

Most dull, honest Dull! To our sport, away!

All which we pine for now: and this report

And call her hourly mistress. Who was with him?

[Exeunt COUNTESS and Gentlemen]

Hast thou, the master-mistress of my passion;

Curling their monstrous heads and hanging them

That, with the hurly, death itself awakes?

God's body! the turkeys in my pannier are quite

double gilt of this opportunity you let time wash

commendation with woman than report of valour.

The time is out of joint: O cursed spite,

It is certain, corporal, that he is married to Nell

Quickly: and certainly she did you wrong; for you

G?%%d

Hath stopp'd the passage where thy words should enter.

[Exeunt certain Officers]

[Y.hqh

Enforce their charity. Poor Turlygod! poor Tom!

by the heads, dogs and bears by the neck, monkeys by

[Exeunt SIR TOBY BELCH, FABIAN, and MARIA]

With the same 'havior that your passion bears

As heart can think or courage execute.

Turn you the key, and know his business of him;

Who Pyramus presented, in their sport

The execution of his wit, hands, heart,

Like to the Garter's compass, in a ring:

True, and it was enjoined him in Rome for want of

passion of wonder appeared in them; but the wisest

say if the importance were joy or sorrow; but in the

certainty to be the king's daughter. Did you see

[Exeunt severally]

zcÁ

%System%\loaywha.exe

|tablefruit.net

WATCHDOGPROC "c:\windows\system32\bwefqqmkhnd.exe"

%System%\bwefqqmkhnd.exe

mscoree.dll

KERNEL32.DLL

loaywha.exe_1512:

.text

`.rdata

@.data

PSSSSSSh

L'

SSSh@

SSShp

SSSh0

a%SVf

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

WS2_32.dll

OLEAUT32.dll

cmd.exe

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

GDI32.dll

GetProcessHeap

KERNEL32.dll

GetKeyboardType

USER32.dll

GetCPInfo

GetConsoleOutputCP

[Exeunt Attendants with THYREUS]

Is now eclipsed; and it portends alone

bwefqqmkhnd.exe

iuq.exe

loaywha.exe

Made him joint-servant with me; gave him way

[Exeunt]

passion came so near the life of passion as she

Why, what effects of passion shows she?

[Exeunt a#

While I, their king, that hither them importune,

her I will execute in the clothes that she so

And others, when the bagpipe sings i' the nose,

pX.Bl

As, thou being mine, mine is thy good report.

To compass such a boundless happiness!

Drawn by report, adventurous by desire,

[Exeunt CARDINAL and HASTINGS]

PORTIA

Last night she enjoined me to write some lines to

That must needs be sport alone;

[Exeunt all but DOMITIUS ENOBARBUS and MENAS]

Making lascivious comments on thy sport,

Naming thy name blesses an ill report.

Some say thy grace is youth and gentle sport;

But, sirrah, you shall buy this sport as dear

Fine linen, Turkey cushions boss'd with pearl,

And all things answerable to this portion.

?1The king's physician: as he pass'd along,

Pray heaven, he sound not my disgrace! For certain,

'Mong boys, grooms, and lackeys. But their pleasures

certain she's old; and had Robin Nightwork by old

6.my grace,

And able horses. No porter at his gate,

All that pass by. It cannot hold: no reason

Importune him for my moneys; be not ceased

Put on a most importunate aspect,

.UQ3sN

O sir, I shall be hated to report it!

[Exeunt PAULINA and Ladies, with HERMIONE]

For, being transported by my jealousies

Of all encertainties himself commended,

And with their faint reply this answer join;

This part of his conjoins with my disease,

What imports the nomination of this gentleman?

The interruption of their churlish drums

I was directed hither: men report

Ay, but the doors be lock'd and keys kept safe,

[Exeunt Citizens]

As I by yours, you've pass'd a hell of time,

But that your trespass now becomes a fee;

Give salutation to my sportive blood?

Were to import forgetfulness in me.

Now, afore God, I am so vexed, that every part about

'Tis holy sport to be a little vain,

Playing patient sports in unconstrained gyves?

held for certain

Have to the port of Athens sent their ships,

And stops her pipe in growth of riper days:

To execute the charge my father gave me

Her blood is settled, and her joints are stiff;

You were kneel'd to and importuned otherwise

[Exeunt POSTHUMUS LEONATUS and Messenger]

To ask of whence you are. Report it.

I see thee compass'd with thy kingdom's pearl,

Who, with a charm join'd to their suffer'd labour,

If opportunity and humblest suit

in several disports. Whereupon the noblemen yielded Collatinus

his passions for the present, departed with the rest back to the

A Porter.

When the hurlyburly's done,

[Exeu

No, not a whit: I find you passing gentle.

And now I find report a very liar;

For thou are pleasant, gamesome, passing courteous,

Why does the world report that Kate doth limp?

'Twould prove the verity of certain words

But lay down our proportions to defend

He's shrewdly vexed at something: look, he has spied us.

[Exeunt BERTRAM, PAROLLES, and army]

Where you shall host: of enjoin'd penitents

endless liar, an hourly promise-breaker, the owner

[Exeunt. Flourish]

me your good report to the prince my master.

Jwx%d

ith this I passion to say

hoof is more musical than the pipe of Hermes.

what marriage is: this fellow will but join you

together as they join wainscot; then one of you will

[Exeunt JAQUES, TOUCHSTONE and AUDREY]

Nay, certainly, there is no truth in him.

nick-name God's creatures, and make your wantonness

[Exeunt all but HAMLET and HORATIO]

A lass unparallel'd. Downy windows, close;

Must bear the same proportion; and not ever

Away with the joint-stools, remove the

the porter let in Susan Grindstone and Nell.

To paly ashes, thy eyes' windows fall,

[Exeunt Ambassadors]

Therefore let our proportions for these wars

[They fight, and certain Volsces come to the aid of

Thou'ldst not believe thy deeds: but I'll report it

Of semblable import,--but he hath waged

A Sea-port in Cyprus. An open place near the quay.

%Cp<8y.r`d

1arched brows, his hawking eye, his curls,

She said so: I must needs report the truth.

It doth import him much to speak with me.

And present execution of our wills

.IkUI

[Exeunt DON JOHN and BORACHIO]

'Tis certain so; the prince wooes for himself.

This is an accident of hourly proof,

[Exeunt FERDINAND, LONGAVILLE, and DUMAIN]

Hath blister'd her report: she is with child;

Whom God hath join'd together; ay, and 'twere pity

Yet, to have join'd with France in such alliance

[Dance. Then exeunt all except DON JOHN, BORACHIO,

that is certain; and of great expedition and

[Exeunt Players]

[Exeunt ROSENCRANTZ and GUILDENSTERN]

>h.NIT

I feel master's passion! this slave,

;((.Uh

>{AB.cX}acW

And I a heavy interim shall support

That my disports corrupt and taint my business,

As doth import you.

Then with a passion would I shake the world;

[Enter FLAVIUS, MARULLUS, and certain Commoners]

I am invited, sir, to certain merchants,

Now she unweaves the web that she hath wrought;

l' passed between you and Claudio.

What! fear not, man, but yield me up the keys;

[Takes his keys]

Portia, forgive me this enforced wrong;

The fearful passage of their death-mark'd love,

On all that need: let me report to him

testimony in your complexion that it was a passion

To pass assurance of a dower in marriage

'Tis passing good: I prithee let me have it.

Whose deadly web ensnareth thee about?

limb or joint, shall pass Pompey the Great; the

Most dull, honest Dull! To our sport, away!

All which we pine for now: and this report

And call her hourly mistress. Who was with him?

[Exeunt COUNTESS and Gentlemen]

Hast thou, the master-mistress of my passion;

Curling their monstrous heads and hanging them

That, with the hurly, death itself awakes?

God's body! the turkeys in my pannier are quite

double gilt of this opportunity you let time wash

commendation with woman than report of valour.

The time is out of joint: O cursed spite,

It is certain, corporal, that he is married to Nell

Quickly: and certainly she did you wrong; for you

G?%%d

Hath stopp'd the passage where thy words should enter.

[Exeunt certain Officers]

[Y.hqh

Enforce their charity. Poor Turlygod! poor Tom!

by the heads, dogs and bears by the neck, monkeys by

[Exeunt SIR TOBY BELCH, FABIAN, and MARIA]

With the same 'havior that your passion bears

As heart can think or courage execute.

Turn you the key, and know his business of him;

Who Pyramus presented, in their sport

The execution of his wit, hands, heart,

Like to the Garter's compass, in a ring:

True, and it was enjoined him in Rome for want of

passion of wonder appeared in them; but the wisest

say if the importance were joy or sorrow; but in the

certainty to be the king's daughter. Did you see

[Exeunt severally]

zcÁ

%System%\loaywha.exe

mscoree.dll

KERNEL32.DLL

jhwin32friea.exe_4328:

.text

``.data

.rdata

`@.bss

.idata

l$.tF

libgcj-13.dll

%d.%d.%d.%d

[d:d:d] Share found! (Blockheight: %d)

[d:d:d] 2ch/s: %.4lf 3ch/s: %.4lf 4ch/s: %.4lf Shares total: %d / %d

The login is configured for an unsupported algorithm.

Make sure you miner login details are correct

Connected to server using x.pushthrough(xpt) protocol

memsize: %lld /th: %lld sieve: %u

Missing URL after -o option

http://

Missing password after -p option

%s %s

'%s' is an unknown option.

Type jhPrimeminer.exe --help for more info

kernel32.dll

ypool.net

Using %d CPU threads

Cannot resolve '%s'. Is it a valid URL?

Eek: Unknown algorithm %d!

!"#$%&'()* 

,-./0123456789

xpt: Logged in with %s

Message from server: %s

xpt: Failed to log in with %s

Reason: %s

New block data - height: %d tx count: %d

Server message: %s

Ping %d.%dms (Average %.1lf)

xptServer_processPacket(): Received unknown opcode %d

Send %d blocks to %d workers in %dms

New block arrived for coinType %d

xptServer_sendBlockData(): payloadNum out of range for worker %s

xptServer_sendBlockData(): Unable to generate work data for worker %s

EEEEK segment %u %u for prime %u with index %u is > %u

GNU MP assertion failed: %s

_matherr(): %s in %s(%g, %g) (retval=%g)

VirtualQuery failed for %d bytes at address %p

VirtualProtect failed with code 0x%x

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

GCC: (GNU) 4.8.2 20131016 (Fedora MinGW 4.8.2-1.fc20)

_acmdln

_amsg_exit

KERNEL32.dll

msvcrt.dll

WS2_32.dll

tmsvcrt.dll

gxzohti5sgiuq.exe_4620:

.text

`.rdata

@.data

PSSSSSSh

L'

SSSh@

SSShp

SSSh0

a%SVf

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

WS2_32.dll

OLEAUT32.dll

cmd.exe

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

GDI32.dll

GetProcessHeap

KERNEL32.dll

GetKeyboardType

USER32.dll

GetCPInfo

GetConsoleOutputCP

[Exeunt Attendants with THYREUS]

Is now eclipsed; and it portends alone

bwefqqmkhnd.exe

iuq.exe

loaywha.exe

Made him joint-servant with me; gave him way

[Exeunt]

passion came so near the life of passion as she

Why, what effects of passion shows she?

[Exeunt a#

While I, their king, that hither them importune,

her I will execute in the clothes that she so

And others, when the bagpipe sings i' the nose,

pX.Bl

As, thou being mine, mine is thy good report.

To compass such a boundless happiness!

Drawn by report, adventurous by desire,

[Exeunt CARDINAL and HASTINGS]

PORTIA

Last night she enjoined me to write some lines to

That must needs be sport alone;

[Exeunt all but DOMITIUS ENOBARBUS and MENAS]

Making lascivious comments on thy sport,

Naming thy name blesses an ill report.

Some say thy grace is youth and gentle sport;

But, sirrah, you shall buy this sport as dear

Fine linen, Turkey cushions boss'd with pearl,

And all things answerable to this portion.

?1The king's physician: as he pass'd along,

Pray heaven, he sound not my disgrace! For certain,

'Mong boys, grooms, and lackeys. But their pleasures

certain she's old; and had Robin Nightwork by old

6.my grace,

And able horses. No porter at his gate,

All that pass by. It cannot hold: no reason

Importune him for my moneys; be not ceased

Put on a most importunate aspect,

.UQ3sN

O sir, I shall be hated to report it!

[Exeunt PAULINA and Ladies, with HERMIONE]

For, being transported by my jealousies

Of all encertainties himself commended,

And with their faint reply this answer join;

This part of his conjoins with my disease,

What imports the nomination of this gentleman?

The interruption of their churlish drums

I was directed hither: men report

Ay, but the doors be lock'd and keys kept safe,

[Exeunt Citizens]

As I by yours, you've pass'd a hell of time,

But that your trespass now becomes a fee;

Give salutation to my sportive blood?

Were to import forgetfulness in me.

Now, afore God, I am so vexed, that every part about

'Tis holy sport to be a little vain,

Playing patient sports in unconstrained gyves?

held for certain

Have to the port of Athens sent their ships,

And stops her pipe in growth of riper days:

To execute the charge my father gave me

Her blood is settled, and her joints are stiff;

You were kneel'd to and importuned otherwise

[Exeunt POSTHUMUS LEONATUS and Messenger]

To ask of whence you are. Report it.

I see thee compass'd with thy kingdom's pearl,

Who, with a charm join'd to their suffer'd labour,

If opportunity and humblest suit

in several disports. Whereupon the noblemen yielded Collatinus

his passions for the present, departed with the rest back to the

A Porter.

When the hurlyburly's done,

[Exeu

No, not a whit: I find you passing gentle.

And now I find report a very liar;

For thou are pleasant, gamesome, passing courteous,

Why does the world report that Kate doth limp?

'Twould prove the verity of certain words

But lay down our proportions to defend

He's shrewdly vexed at something: look, he has spied us.

[Exeunt BERTRAM, PAROLLES, and army]

Where you shall host: of enjoin'd penitents

endless liar, an hourly promise-breaker, the owner

[Exeunt. Flourish]

me your good report to the prince my master.

Jwx%d

ith this I passion to say

hoof is more musical than the pipe of Hermes.

what marriage is: this fellow will but join you

together as they join wainscot; then one of you will

[Exeunt JAQUES, TOUCHSTONE and AUDREY]

Nay, certainly, there is no truth in him.

nick-name God's creatures, and make your wantonness

[Exeunt all but HAMLET and HORATIO]

A lass unparallel'd. Downy windows, close;

Must bear the same proportion; and not ever

Away with the joint-stools, remove the

the porter let in Susan Grindstone and Nell.

To paly ashes, thy eyes' windows fall,

[Exeunt Ambassadors]

Therefore let our proportions for these wars

[They fight, and certain Volsces come to the aid of

Thou'ldst not believe thy deeds: but I'll report it

Of semblable import,--but he hath waged

A Sea-port in Cyprus. An open place near the quay.

%Cp<8y.r`d

1arched brows, his hawking eye, his curls,

She said so: I must needs report the truth.

It doth import him much to speak with me.

And present execution of our wills

.IkUI

[Exeunt DON JOHN and BORACHIO]

'Tis certain so; the prince wooes for himself.

This is an accident of hourly proof,

[Exeunt FERDINAND, LONGAVILLE, and DUMAIN]

Hath blister'd her report: she is with child;

Whom God hath join'd together; ay, and 'twere pity

Yet, to have join'd with France in such alliance

[Dance. Then exeunt all except DON JOHN, BORACHIO,

that is certain; and of great expedition and

[Exeunt Players]

[Exeunt ROSENCRANTZ and GUILDENSTERN]

>h.NIT

I feel master's passion! this slave,

;((.Uh

>{AB.cX}acW

And I a heavy interim shall support

That my disports corrupt and taint my business,

As doth import you.

Then with a passion would I shake the world;

[Enter FLAVIUS, MARULLUS, and certain Commoners]

I am invited, sir, to certain merchants,

Now she unweaves the web that she hath wrought;

l' passed between you and Claudio.

What! fear not, man, but yield me up the keys;

[Takes his keys]

Portia, forgive me this enforced wrong;

The fearful passage of their death-mark'd love,

On all that need: let me report to him

testimony in your complexion that it was a passion

To pass assurance of a dower in marriage

'Tis passing good: I prithee let me have it.

Whose deadly web ensnareth thee about?

limb or joint, shall pass Pompey the Great; the

Most dull, honest Dull! To our sport, away!

All which we pine for now: and this report

And call her hourly mistress. Who was with him?

[Exeunt COUNTESS and Gentlemen]

Hast thou, the master-mistress of my passion;

Curling their monstrous heads and hanging them

That, with the hurly, death itself awakes?

God's body! the turkeys in my pannier are quite

double gilt of this opportunity you let time wash

commendation with woman than report of valour.

The time is out of joint: O cursed spite,

It is certain, corporal, that he is married to Nell

Quickly: and certainly she did you wrong; for you

G?%%d

Hath stopp'd the passage where thy words should enter.

[Exeunt certain Officers]

[Y.hqh

Enforce their charity. Poor Turlygod! poor Tom!

by the heads, dogs and bears by the neck, monkeys by

[Exeunt SIR TOBY BELCH, FABIAN, and MARIA]

With the same 'havior that your passion bears

As heart can think or courage execute.

Turn you the key, and know his business of him;

Who Pyramus presented, in their sport

The execution of his wit, hands, heart,

Like to the Garter's compass, in a ring:

True, and it was enjoined him in Rome for want of

passion of wonder appeared in them; but the wisest

say if the importance were joy or sorrow; but in the

certainty to be the king's daughter. Did you see

[Exeunt severally]

zcÁ

%WinDir%\TEMP\gxzohti5sgiuq.exe

mscoree.dll

KERNEL32.DLL

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   loaywha.exe:1588
   loaywha.exe:1512
   gxzohti5sgiuq.exe:4620
   gxzohtiiegiuq.exe:5808
   %original file name%.exe:2076
   gxzohthr7aiuqbghrkmh7.exe:1216
   gxzohthxkgiuq.exe:5108
   bwefqqmkhnd.exe:4144
   bwefqqmkhnd.exe:496

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %System%\ifaadyspb\tst (10 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\gxzohthr7aiuqbghrkmh7.exe (7386 bytes)
   %System%\ifaadyspb\etc (10 bytes)
   %System%\bwefqqmkhnd.exe (7547 bytes)
   %System%\drivers\etc\hosts (22 bytes)
   %System%\ifaadyspb\run (10 bytes)
   %WinDir%\Temp\gxzohti5sgiuq.exe (7547 bytes)
   %WinDir%\Temp\gxzohthxkgiuq.exe (35 bytes)
   %System%\ifaadyspb\rng (128 bytes)
   %WinDir%\Temp\gxzohti0uiiuq.exe (1940 bytes)
   %System%\ifaadyspb\cfg (531 bytes)
   %System%\ifaadyspb\aol\zip.exe (10500 bytes)
   %System%\jhwin64friea.exe (9540 bytes)
   %System%\loaywha.exe (7547 bytes)
   %System%\ifaadyspb\aol\exefile (14580 bytes)
   %System%\jhwin32friea.exe (9540 bytes)
   %WinDir%\Temp\gxzohtiiegiuq.exe (35 bytes)
   %System%\ifaadyspb\ihst (1 bytes)
   %System%\ifaadyspb\por (1 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Distributed Launcher" = "%System%\bwefqqmkhnd.exe"

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.