MD5: ab581b9fd416db3a1d219c99fd5f6928
SHA1: c27b4298ad5d8047b3b3c1faa2212395444812b6
SHA256: ce61c8f179caa29dd6687c0a5fd3f9eddddfd212d82cce4bd65aa0d581a99c85
SSDeep: 24576:H/3m1aEZUzDau5BPDLSAH CXpzB2OsltoBxwdQJRHz2E2CRZcPjQ/mT:7BHSAHJpzB2HltoBxwgdZ3cP0/E
Size: 1102848 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-05-10 01:00:53
Analyzed on: WindowsXP SP3 32-bit

Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

vhlsuvb.exe:3788
vhlsuvb.exe:1812
qxuzlcfr13pkeya.exe:4264
qxuzlcfr15fptya.exe:2676
thvdtttcvct.exe:3408
thvdtttcvct.exe:172
qxuzlcfr13kphyabs8ogvf.exe:2412
qxuzlcfr15i4mya.exe:4992
%original file name%.exe:1064

The Trojan injects its code into the following process(es):
No processes have been created.

File activity

The process vhlsuvb.exe:3788 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\wfskmoeknsu\tst (10 bytes)

The process vhlsuvb.exe:1812 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\wfskmoeknsu\tst (10 bytes)

The process qxuzlcfr15fptya.exe:2676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\wfskmoeknsu\tst (10 bytes)

The process thvdtttcvct.exe:3408 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\wfskmoeknsu\cfg (373 bytes)
%WinDir%\Temp\qxuzlcfr13pkeya.exe (35 bytes)
%WinDir%\Temp\qxuzlcfr15i4mya.exe (35 bytes)
%System%\vhlsuvb.exe (7433 bytes)
%System%\wfskmoeknsu\aol\zip.exe (10500 bytes)
%System%\win32mroclient.exe (27616 bytes)
%System%\wfskmoeknsu\aol\exefile (14580 bytes)
%System%\wfskmoeknsu\ihst (222 bytes)
%System%\drivers\etc\hosts (100 bytes)
%WinDir%\Temp\qxuzlcfr15fptya.exe (7433 bytes)
%System%\wfskmoeknsu\run (10 bytes)
%System%\wfskmoeknsu\aol\phantomjs.exe (183012 bytes)
%System%\win64mroclient.exe (76437 bytes)
%WinDir%\Temp\qxuzlcfr15g9cya.exe (1940 bytes)
%System%\wfskmoeknsu\rng (32 bytes)
%System%\wfskmoeknsu\tst (10 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\qxuzlcfr13pkeya.exe (0 bytes)
%WinDir%\Temp\qxuzlcfr15fptya.exe (0 bytes)
%WinDir%\Temp\qxuzlcfr15g9cya.exe (0 bytes)

The process thvdtttcvct.exe:172 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\wfskmoeknsu\tst (10 bytes)

The process qxuzlcfr13kphyabs8ogvf.exe:2412 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\drivers\etc\hosts (22 bytes)
%System%\wfskmoeknsu\etc (10 bytes)
%System%\thvdtttcvct.exe (7433 bytes)
%System%\wfskmoeknsu\tst (10 bytes)

The Trojan deletes the following file(s):

%System%\drivers\etc\hosts (0 bytes)

The process %original file name%.exe:1064 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qxuzlcfr13kphyabs8ogvf.exe (5442 bytes)
%System%\wfskmoeknsu\tst (10 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qxuzlcfr13kphyabs8ogvf.exe (0 bytes)

Registry activity

The process qxuzlcfr13pkeya.exe:4264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 4D 77 A1 63 41 4E F6 E2 26 95 2A F8 40 14 0A"

The process qxuzlcfr15fptya.exe:2676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 7F 20 E5 F7 57 3A 05 A2 A6 48 3F 2E 08 A6 0F"

The process thvdtttcvct.exe:3408 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 F9 4B A3 1D CF 77 E8 0C BC F1 B9 EA 02 ED 8B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process qxuzlcfr13kphyabs8ogvf.exe:2412 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED A3 D4 6F 67 99 1B 25 1A C4 C4 C3 F4 76 1C DE"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KtmRm Protocol Files Internet" = "%System%\thvdtttcvct.exe"

The process qxuzlcfr15i4mya.exe:4992 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 9B A3 54 87 49 45 AC 4C 5F 5E F9 31 1E A2 E5"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 100 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

QSSSSSSh

SRSSSh

SSSh0EC

SSShP;D

SQSSSh

}dSSShp

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

AWS2_32.dll

OLEAUT32.dll

cmd.exe

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

GDI32.dll

KERNEL32.dll

USER32.dll

GetCPInfo

GetConsoleOutputCP

GetProcessHeap

compass of my curse,--

[Exeunt]

To join with him and right his heinous wrongs.

Tell him Revenge is come to join with him,

And what is written shall be executed.

thvdtttcvct.exe

ya.exe

vhlsuvb.exe

[Alarum. Enter KING HENRY, EXETER, BEDFORD,

EDWARD, and EXETER]

Nay, take me with thee, good sweet Exeter:

Well, let that pass. Dorset is fled to Richmond.

certain of the Guard, and two Secretaries with

papers. CARDINAL WOLSEY in his passage fixeth his

[Exeunt PETRUCHIO and GRUMIO]

Or I am much deceived, of Portia.

PORTIA

[Exeunt LADY CAPULET and Nurse]

Away with the joint-stools, remove the

the porter let in Susan Grindstone and Nell.

[Exeunt FLORIZEL, PERDITA, and CAMILLO]

How much they do to import, you would make haste.

Comes hunting this way to disport himself.

What's thy passion!

Against that time when thou shalt strangely passe,

[Exeunt Ladies]

May stand with ours, this day to be conjoin'd

All ports I'll bar; the villain shall not 'scape;

Thought and affliction, passion, hell itself,

And we shall jointly labour with your soul

Who, with a charm join'd to their suffer'd labour,

First Executioner

[Exeunt Executioners]

Let him come back, that his compassion may

Partly for that her promised proportions

And here remain with your uncertainty!

[Exeunt CORIOLANUS, COMINIUS, MENENIUS, Senators,

Her two blue windows faintly she up-heaveth,

The interruption of their churlish drums

DUKE OF EXETER

(EXETER:)

Then give me leave that I may turn the key,

Remember, as thou read'st, thy promise pass'd:

[Exeunt PISTOL, and French Soldier]

adventurously. I must stay with the lackeys, with

[Exeunt the followers of SATURNINUS]

She swore, in faith, twas strange, 'twas passing strange,

She loved me for the dangers I had pass'd,

[Exeunt Duke and his train]

[Exeunt Officers with MISTRESS OVERDONE]

Knows not my feeble key of untuned cares?

Enforce the present execution

a churlish philosopher.

Nature and Fortune join'd to make thee great:

She adulterates hourly with thine uncle John,

That no supporter but the huge firm earth

Then jointly to the ground their knees they bow;

If Warwick be so near as men report.

[Enter, at one door KING HENRY, EXETER, BEDFORD,

9_%XRTN

I will frown as I pass by, and let them take it as

[Flourish. Exeunt KING RICHARD II and train]

'twill out at the key-hole; stop that, 'twill fly

Then were it certain you were not so bad

general, that, upon certain tidings now arrived,

importing the mere perdition of the Turkish fleet,

some to make bonfires, each man to what sport and

Not to outsport discretion.

L]ismay'd: be cheerful, sir.

As thou being mine,mine is thy good report.

I will not be the executioner.

Of all rejoindure, forcibly prevents

parcel of their feast, and to be executed ere they

I was directed hither: men report

[Exeunt all but KING HENRY VI and EXETER]

Cousin of Exeter, what thinks your lordship?

[Aside to PORTIA]

Belmont. Avenue to PORTIA'S house.

As time and our concernings shall importune,

To the hopeful execution do I leave you

For which the people stir: if you will pass

purpose as then each bore, upon importance of so

proportion to live quietly, and so give over.

was at Exeter,

Look, how this ring encompasseth finger.

that pass. Peter Simple, you say your name is?

L.LmF

[Exeunt NORFOLK and SUFFOLK]

Cardinal of York, are join'd with me their servant

Charms this report out.

Be certain what you do, sir, lest your justice

Passion as they, be kindlier moved than thou art?

pit; then exeunt DEMETRIUS and CHIRON, dragging

Well could I leave our sport to sleep awhile.

A chilling sweat o'er-runs my trembling joints:

Some certain edicts and some strait decrees

[Exeunt Antipholus of Syracuse and Dromio of Syracuse

But till this afternoon his passion

r.PX0

Trim sport for them that had the doing of it.

5n.mYF

7.LN'cL

WftP

48uWU.Wu

Should pass this way as you did: O, the Fates!

[Exeunt GOWER and FLUELLEN]

there are certain condolements, certain vails. I

While I, their king, that hither them importune,

_8.ks

[Exeunt PRINCE HENRY, POINS, PETO and BARDOLPH]

[Exeunt Lords]

No certain life achieved by others' death.

Methinks his words do from such passion fly,

;%SHD

Bring me no more reports; let them fly all:

To make it truster of your own report

Both warbling of one song, both in one key,

To join with men in scorning your poor friend?

passion came so near the life of passion as she

Why, what effects of passion shows she?

[Exeunt PETRUCHIO and KATHARINA]

Nay, that's certain:

Certain: Alcibiades reports it; Phrynia and

what they travail for, if it be a just true report

That makes his opening with this bigger key:

[Exeunt Ma0

-5".IE 

CJ-e}

me your good report to the prince my master.

To unpath'd waters, undream'd shores, most certain

Nothing so certain as your anchors, who

When she saw Pyrrhus make malicious sport

rightly, can ever believe such impossible passages

a thing as 'tis. I can hardly forbear hurling things

[Exeun

[Exeunt ROSALIND and CELIA]

What passion hangs these weights upon my tongue?

Are many simples operative, whose power

My mourning and important tears hath pitied.

What might import my sister's letter to him?

Transport her purposes by word? Belike,

So likely to report themselves: the cutter

And with our sprightly port make the ghosts gaze:

I' the common show-place, where they exercise.

As 'tis reported, so.

'Poor forlorn Proteus, passionate Proteus,

zcÁ

%System%\vhlsuvb.exe

|spendstudy.net

WATCHDOGPROC "c:\windows\system32\thvdtttcvct.exe"

%System%\thvdtttcvct.exe

mscoree.dll

KERNEL32.DLL

vhlsuvb.exe_3788:

.text

`.rdata

@.data

QSSSSSSh

SRSSSh

SSSh0EC

SSShP;D

SQSSSh

}dSSShp

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

AWS2_32.dll

OLEAUT32.dll

cmd.exe

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

GDI32.dll

KERNEL32.dll

USER32.dll

GetCPInfo

GetConsoleOutputCP

GetProcessHeap

compass of my curse,--

[Exeunt]

To join with him and right his heinous wrongs.

Tell him Revenge is come to join with him,

And what is written shall be executed.

thvdtttcvct.exe

ya.exe

vhlsuvb.exe

[Alarum. Enter KING HENRY, EXETER, BEDFORD,

EDWARD, and EXETER]

Nay, take me with thee, good sweet Exeter:

Well, let that pass. Dorset is fled to Richmond.

certain of the Guard, and two Secretaries with

papers. CARDINAL WOLSEY in his passage fixeth his

[Exeunt PETRUCHIO and GRUMIO]

Or I am much deceived, of Portia.

PORTIA

[Exeunt LADY CAPULET and Nurse]

Away with the joint-stools, remove the

the porter let in Susan Grindstone and Nell.

[Exeunt FLORIZEL, PERDITA, and CAMILLO]

How much they do to import, you would make haste.

Comes hunting this way to disport himself.

What's thy passion!

Against that time when thou shalt strangely passe,

[Exeunt Ladies]

May stand with ours, this day to be conjoin'd

All ports I'll bar; the villain shall not 'scape;

Thought and affliction, passion, hell itself,

And we shall jointly labour with your soul

Who, with a charm join'd to their suffer'd labour,

First Executioner

[Exeunt Executioners]

Let him come back, that his compassion may

Partly for that her promised proportions

And here remain with your uncertainty!

[Exeunt CORIOLANUS, COMINIUS, MENENIUS, Senators,

Her two blue windows faintly she up-heaveth,

The interruption of their churlish drums

DUKE OF EXETER

(EXETER:)

Then give me leave that I may turn the key,

Remember, as thou read'st, thy promise pass'd:

[Exeunt PISTOL, and French Soldier]

adventurously. I must stay with the lackeys, with

[Exeunt the followers of SATURNINUS]

She swore, in faith, twas strange, 'twas passing strange,

She loved me for the dangers I had pass'd,

[Exeunt Duke and his train]

[Exeunt Officers with MISTRESS OVERDONE]

Knows not my feeble key of untuned cares?

Enforce the present execution

a churlish philosopher.

Nature and Fortune join'd to make thee great:

She adulterates hourly with thine uncle John,

That no supporter but the huge firm earth

Then jointly to the ground their knees they bow;

If Warwick be so near as men report.

[Enter, at one door KING HENRY, EXETER, BEDFORD,

9_%XRTN

I will frown as I pass by, and let them take it as

[Flourish. Exeunt KING RICHARD II and train]

'twill out at the key-hole; stop that, 'twill fly

Then were it certain you were not so bad

general, that, upon certain tidings now arrived,

importing the mere perdition of the Turkish fleet,

some to make bonfires, each man to what sport and

Not to outsport discretion.

As thou being mine,mine is thy good report.

I will not be the executioner.

Of all rejoindure, forcibly prevents

parcel of their feast, and to be executed ere they

I was directed hither: men report

[Exeunt all but KING HENRY VI and EXETER]

Cousin of Exeter, what thinks your lordship?

[Aside to PORTIA]

Belmont. Avenue to PORTIA'S house.

As time and our concernings shall importune,

To the hopeful execution do I leave you

For which the people stir: if you will pass

purpose as then each bore, upon importance of so

proportion to live quietly, and so give over.

was at Exeter,

Look, how this ring encompasseth finger.

that pass. Peter Simple, you say your name is?

L.LmF

[Exeunt NORFOLK and SUFFOLK]

Cardinal of York, are join'd with me their servant

Charms this report out.

Be certain what you do, sir, lest your justice

Passion as they, be kindlier moved than thou art?

pit; then exeunt DEMETRIUS and CHIRON, dragging

Well could I leave our sport to sleep awhile.

A chilling sweat o'er-runs my trembling joints:

Some certain edicts and some strait decrees

[Exeunt Antipholus of Syracuse and Dromio of Syracuse

But till this afternoon his passion

r.PX0

Trim sport for them that had the doing of it.

5n.mYF

7.LN'cL

WftP

48uWU.Wu

Should pass this way as you did: O, the Fates!

[Exeunt GOWER and FLUELLEN]

there are certain condolements, certain vails. I

While I, their king, that hither them importune,

_8.ks

[Exeunt PRINCE HENRY, POINS, PETO and BARDOLPH]

[Exeunt Lords]

No certain life achieved by others' death.

Methinks his words do from such passion fly,

;%SHD

Bring me no more reports; let them fly all:

To make it truster of your own report

Both warbling of one song, both in one key,

To join with men in scorning your poor friend?

passion came so near the life of passion as she

Why, what effects of passion shows she?

[Exeunt PETRUCHIO and KATHARINA]

Nay, that's certain:

Certain: Alcibiades reports it; Phrynia and

what they travail for, if it be a just true report

That makes his opening with this bigger key:

[Exeunt Ma0

-5".IE 

CJ-e}

me your good report to the prince my master.

To unpath'd waters, undream'd shores, most certain

Nothing so certain as your anchors, who

When she saw Pyrrhus make malicious sport

rightly, can ever believe such impossible passages

a thing as 'tis. I can hardly forbear hurling things

[Exeun

[Exeunt ROSALIND and CELIA]

What passion hangs these weights upon my tongue?

Are many simples operative, whose power

My mourning and important tears hath pitied.

What might import my sister's letter to him?

Transport her purposes by word? Belike,

So likely to report themselves: the cutter

And with our sprightly port make the ghosts gaze:

I' the common show-place, where they exercise.

As 'tis reported, so.

'Poor forlorn Proteus, passionate Proteus,

zcÁ

%System%\vhlsuvb.exe

mscoree.dll

KERNEL32.DLL

qxuzlcfr15fptya.exe_2676:

.text

`.rdata

@.data

QSSSSSSh

SRSSSh

SSSh0EC

SSShP;D

SQSSSh

}dSSShp

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

AWS2_32.dll

OLEAUT32.dll

cmd.exe

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

GDI32.dll

KERNEL32.dll

USER32.dll

GetCPInfo

GetConsoleOutputCP

GetProcessHeap

compass of my curse,--

[Exeunt]

To join with him and right his heinous wrongs.

Tell him Revenge is come to join with him,

And what is written shall be executed.

thvdtttcvct.exe

ya.exe

vhlsuvb.exe

[Alarum. Enter KING HENRY, EXETER, BEDFORD,

EDWARD, and EXETER]

Nay, take me with thee, good sweet Exeter:

Well, let that pass. Dorset is fled to Richmond.

certain of the Guard, and two Secretaries with

papers. CARDINAL WOLSEY in his passage fixeth his

[Exeunt PETRUCHIO and GRUMIO]

Or I am much deceived, of Portia.

PORTIA

[Exeunt LADY CAPULET and Nurse]

Away with the joint-stools, remove the

the porter let in Susan Grindstone and Nell.

[Exeunt FLORIZEL, PERDITA, and CAMILLO]

How much they do to import, you would make haste.

Comes hunting this way to disport himself.

What's thy passion!

Against that time when thou shalt strangely passe,

[Exeunt Ladies]

May stand with ours, this day to be conjoin'd

All ports I'll bar; the villain shall not 'scape;

Thought and affliction, passion, hell itself,

And we shall jointly labour with your soul

Who, with a charm join'd to their suffer'd labour,

First Executioner

[Exeunt Executioners]

Let him come back, that his compassion may

Partly for that her promised proportions

And here remain with your uncertainty!

[Exeunt CORIOLANUS, COMINIUS, MENENIUS, Senators,

Her two blue windows faintly she up-heaveth,

The interruption of their churlish drums

DUKE OF EXETER

(EXETER:)

Then give me leave that I may turn the key,

Remember, as thou read'st, thy promise pass'd:

[Exeunt PISTOL, and French Soldier]

adventurously. I must stay with the lackeys, with

[Exeunt the followers of SATURNINUS]

She swore, in faith, twas strange, 'twas passing strange,

She loved me for the dangers I had pass'd,

[Exeunt Duke and his train]

[Exeunt Officers with MISTRESS OVERDONE]

Knows not my feeble key of untuned cares?

Enforce the present execution

a churlish philosopher.

Nature and Fortune join'd to make thee great:

She adulterates hourly with thine uncle John,

That no supporter but the huge firm earth

Then jointly to the ground their knees they bow;

If Warwick be so near as men report.

[Enter, at one door KING HENRY, EXETER, BEDFORD,

9_%XRTN

I will frown as I pass by, and let them take it as

[Flourish. Exeunt KING RICHARD II and train]

'twill out at the key-hole; stop that, 'twill fly

Then were it certain you were not so bad

general, that, upon certain tidings now arrived,

importing the mere perdition of the Turkish fleet,

some to make bonfires, each man to what sport and

Not to outsport discretion.

As thou being mine,mine is thy good report.

I will not be the executioner.

Of all rejoindure, forcibly prevents

parcel of their feast, and to be executed ere they

I was directed hither: men report

[Exeunt all but KING HENRY VI and EXETER]

Cousin of Exeter, what thinks your lordship?

[Aside to PORTIA]

Belmont. Avenue to PORTIA'S house.

As time and our concernings shall importune,

To the hopeful execution do I leave you

For which the people stir: if you will pass

purpose as then each bore, upon importance of so

proportion to live quietly, and so give over.

was at Exeter,

Look, how this ring encompasseth finger.

that pass. Peter Simple, you say your name is?

L.LmF

[Exeunt NORFOLK and SUFFOLK]

Cardinal of York, are join'd with me their servant

Charms this report out.

Be certain what you do, sir, lest your justice

Passion as they, be kindlier moved than thou art?

pit; then exeunt DEMETRIUS and CHIRON, dragging

Well could I leave our sport to sleep awhile.

A chilling sweat o'er-runs my trembling joints:

Some certain edicts and some strait decrees

[Exeunt Antipholus of Syracuse and Dromio of Syracuse

But till this afternoon his passion

r.PX0

Trim sport for them that had the doing of it.

5n.mYF

7.LN'cL

WftP

48uWU.Wu

Should pass this way as you did: O, the Fates!

[Exeunt GOWER and FLUELLEN]

there are certain condolements, certain vails. I

While I, their king, that hither them importune,

_8.ks

[Exeunt PRINCE HENRY, POINS, PETO and BARDOLPH]

[Exeunt Lords]

No certain life achieved by others' death.

Methinks his words do from such passion fly,

;%SHD

Bring me no more reports; let them fly all:

To make it truster of your own report

Both warbling of one song, both in one key,

To join with men in scorning your poor friend?

passion came so near the life of passion as she

Why, what effects of passion shows she?

[Exeunt PETRUCHIO and KATHARINA]

Nay, that's certain:

Certain: Alcibiades reports it; Phrynia and

what they travail for, if it be a just true report

That makes his opening with this bigger key:

[Exeunt Ma0

-5".IE 

CJ-e}

me your good report to the prince my master.

To unpath'd waters, undream'd shores, most certain

Nothing so certain as your anchors, who

When she saw Pyrrhus make malicious sport

rightly, can ever believe such impossible passages

a thing as 'tis. I can hardly forbear hurling things

[Exeun

[Exeunt ROSALIND and CELIA]

What passion hangs these weights upon my tongue?

Are many simples operative, whose power

My mourning and important tears hath pitied.

What might import my sister's letter to him?

Transport her purposes by word? Belike,

So likely to report themselves: the cutter

And with our sprightly port make the ghosts gaze:

I' the common show-place, where they exercise.

As 'tis reported, so.

'Poor forlorn Proteus, passionate Proteus,

zcÁ

%WinDir%\TEMP\qxuzlcfr15fptya.exe

mscoree.dll

KERNEL32.DLL

win32mroclient.exe_3376:

.text

p`.data

.rdata

`@.bss

.idata

\\\\5\\\\

|$\3|$81

\$\3\$`3

""""%""""1

1|$,1\$,

|$@3\$,3\$0

\$$!|$$!

|$ 1|$41

\$0#\$(1

\$\3\$ 1|$(

\$43\$01

\$ 3\$41

1\$,1|$,

\$ 3\$(3\$8

|$03|$43|$@

|$,3|$83|$ 3|$

|$4#|$(3<$

%UUUU

L$p%UUUU

|$43|$<1

SHA256 block transform for x86, CRYPTOGAMS by 

libgcj-13.dll

accepted: %lu/%lu (%.2f%%), %.2f H/s at diff %g %s

accepted: %lu/%lu (%.2f%%), %s khash/s %s

DEBUG: reject reason: %s

DEBUG: job_id='%s' extranonce2=%s ntime=x

{"method": "getjob", "params": {"id": "%s"}, "id":1}

JSON decode of %s failed

http://

https://

stratum tcp://

http://%s

cpuminer 2.3.3

Starting Stratum on %s

...terminating workio thread

...retry after %d seconds

JSON decode failed(%d): %s

Binding thread %d to cpu %d

thread %d: %lu hashes, %.2f H/s

thread %d: %lu hashes, %.2f khash/s

Total: %s H/s

Total: %s khash/s

work retrieval failed, exiting mining thread %d

JSON key '%s' not found

JSON key '%s' is not a string

{"method": "login", "params": {"login": "%s", "pass": "%s", "agent": "cpuminer-multi/0.1"}, "id": 1}

Auth id: %s

JSON returned status "%s"

DEBUG: authenticated in %d ms

json_rpc2.0 error: %s

CURL initialization failed

%s%s%s

Long-polling activated for %s

{"method": "mining.submit", "params": ["%s", "%s", "%s", "%s", "%s"], "id":4}

{"method": "submit", "params": {"id": "%s", "job_id": "%s", "nonce": "%s", "result": "%s"}, "id":1}

{"method": "getwork", "params": [ "%s" ], "id":1}

getwork failed, retry after %d seconds

DEBUG: got new work in %d ms

%s: unsupported non-option argument '%s'

JSON option %s invalid

%s: no URL supplied

%s:%s

https:

thread %d create failed

%d miner threads started, using '%s' algorithm.

cert

userpass

[%d-d-d d:d:d] %s

User-Agent: cpuminer/2.3.3

HTTP request failed: %s

JSON-RPC call failed: %s

hex2bin failed on '%s'

DEBUG: %s

Hash: %s

Target: %s

http%s

Stratum connection failed: %s

{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.3", "%s"]}

{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.3"]}

mining.notify

Stratum session id: %s

mining.set_difficulty

client.reconnect

stratum tcp://%s:%d

Ignoring request to reconnect to %s

Server requested reconnection to %s

client.get_version

cpuminer/2.3.3

client.show_message

MESSAGE FROM SERVER: %s

{"id": 2, "method": "mining.authorize", "params": ["%s", "%s"]}

tXXFr.rh.44Aw-wl-66

r.rh.44Fw-wl-66A

.rh.44Fr-wl-66Aw

O9K\9..eKW

trh.44Fr.wl-66Aw-

K\9..eK9

h.44Fr.rl-66Aw-w

O\9..eK9K=W

.44Fr.rh-66Aw-wl

9..eK9K\W

t44Fr.rh.66Aw-wl-

..eK9K\9

tX4Fr.rh.46Aw-wl-6

.eK9K\9.

:x

:,7.35.0

smtp

tftp

getpeername() failed with errno %d: %s

getsockname() failed with errno %d: %s

ssrem inet_ntop() failed with errno %d: %s

ssloc inet_ntop() failed with errno %d: %s

sa_addr inet_ntop() failed with errno %d: %s

Trying %s...

Could not set TCP_NODELAY: %s

TCP_NODELAY set

Failed to set SO_KEEPALIVE on fd %d

Failed to set SIO_KEEPALIVE_VALS on fd %d: %d

Couldn't bind to interface '%s'

Local Interface %s is ip %s using address family %i

Name '%s' family %i resolved to '%s' family %i

Local port: %hu

Bind to local port %hu failed, trying next

bind failed with errno %d: %s

Immediate connect fail for %s: %s

Couldn't bind to '%s'

connect to %s port %ld failed: %s

Failed to connect to %s port %ld: %s

[%s %s %s]

Send failure: %s

Recv failure: %s

Write callback asked for PAUSE when not supported!

%s:%d

Hostname was %sfound in DNS cache

timeout on name lookup is not supported

%5[^:]:%d:%5s

Resolve %s found illegal!

Added %s:%d:%s to DNS cache

IDN support not present, can't parse Unicode domains

CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!

Connected to %s (%s) port %ld (#%ld)

User-Agent: %s

[^:]:%[^

:]://%[^

 malformed

SMTP.

Rebuilt URL to: %s

Protocol %s not supported or disabled in libcurl

%s://%s

http_proxy

[%*45[0123456789abcdefABCDEF:.]%c

;type=%c

%s://%s%s%s:%hu%s%s%s

Port number too large: %lu

Couldn't find host %s in the _netrc file; using defaults

[email protected]

Found bundle for host %s: %p

Server doesn't support pipelining

Found connection %ld, with requests in the pipe (%zu)

Re-using existing connection! (#%ld) with host %s

Couldn't resolve host '%s'

Couldn't resolve proxy '%s'

Connection #%ld to host %s left intact

Curl_poll(%d ds, %d ms)

Internal error clearing splay node = %d

Internal error removing splay node = %d

Pipe broke: handle 0x%p, url = %s

In state %d with no easy_conn, bail out!

Operation timed out after %ld milliseconds with %I64d out of %I64d bytes received

Operation timed out after %ld milliseconds with %I64d bytes received

#HttpOnly_

23[^;

=]=I99[^;

httponly

skipped cookie with bad tailmatch domain: %s

%s cookie %s="%s" for domain %s, path %s, expire %I64d

# Netscape HTTP Cookie File

# http://curl.haxx.se/docs/http-cookies.html

# This file was generated by libcurl! Edit at your own risk.

# Fatal libcurl error

WARNING: failed to save cookies in %s

%d.%d.%d.%d

CURLSHcode unknown

Protocol option is unsupported

Protocol is unsupported

Socket is unsupported

Operation not supported

Address family not supported

Protocol family not supported

Winsock version not supported

Unknown error %d (%#x)

Please call curl_multi_perform() soon

Unsupported protocol

URL using bad/illegal format or missing URL

A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.

FTP: weird server reply

FTP: The server failed to connect to data port

FTP: unknown PASS reply

FTP: Accepting server connect has timed out

FTP: unknown PASV reply

FTP: unknown 227 response format

FTP: can't figure out the host in the PASV response

FTP: couldn't set file type

FTP: couldn't retrieve (RETR failed) the specified file

HTTP response code said error

FTP: command PORT failed

FTP: command REST failed

Operation was aborted by an application callback

A libcurl function was given a bad argument

An unknown option was passed in to libcurl

SSL peer certificate or SSH remote key was not OK

Problem with the local SSL certificate

Peer certificate cannot be authenticated with given CA certificates

Unrecognized or bad HTTP Content or Transfer-Encoding

Invalid LDAP URL

Login denied

TFTP: File Not Found

TFTP: Access Violation

TFTP: Illegal operation

TFTP: Unknown transfer ID

TFTP: No such user

Caller must register CURLOPT_CONV_ callback options

Problem with the SSL CA cert (path? access rights?)

Error in the SSH layer

Issuer check against peer certificate failed

FTP: The server did not accept the PRET command.

Unable to parse FTP file list

0123456789

%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s

Curl_ipv4_resolve_r failed for %s

%sAuthorization: Basic %s

HTTP/

Avoided giant realloc for header (max is %d)!

The requested URL returned error: %d

%s auth using %s with user '%s'

%s, d %s M d:d:d GMT

If-Modified-Since: %s

If-Unmodified-Since: %s

Last-Modified: %s

Referer: %s

Accept-Encoding: %s

Host: %s%s%s

Host: %s%s%s:%hu

ftp://

Range: bytes=%s

Content-Range: bytes %s%I64d/%I64d

Content-Range: bytes %s/%I64d

ftp://%s:%s@%s

%s HTTP/%s

%s%s%s%s%s%s%s%s%s%s%s

%s%s=%s

Internal HTTP POST error!

Content-Type: application/x-www-form-urlencoded

Failed sending HTTP POST request

Failed sending HTTP request

Chunky upload is not supported by HTTP 1.0

HTTP error before end of send, stop sending

HTTP/%d.%d =

HTTP =

RTSP/%d.%d =

The requested URL returned error: %s

HTTP 1.0, assume close after body

HTTP/1.0 proxy connection set to keep alive!

HTTP/1.1 proxy connection set close!

HTTP/1.0 connection set to keep alive!

USER %s

PBSZ %d

Failure sending QUIT command: %s

ftp server doesn't support SIZE

RETR %s

Connect data stream passively

APPE %s

STOR %s

SIZE %s

getsockname() failed: %s

failed to resolve the address provided to PORT: %s

bind(port=%hu) on non-local address failed: %s

bind(port=%hu) failed: %s

bind() failed, we ran out of ports!

socket failure: %s

%s |%d|%s|%hu|

Failure sending EPRT command: %s

,%d,%d

%s %s

Failure sending PORT command: %s

Uploading to a URL without a file name!

FTPS not supported!

PASS %s

ACCT %s

Access denied: d

%c%c%c%u%c

Illegal port number in EPSV reply

%d,%d,%d,%d,%d,%d

Skips %d.%d.%d.%d for data connection, uses %s instead

Bad PASV/EPSV response: d

Can't resolve proxy host %s:%hu

Can't resolve new host %s:%hu

Connecting to %s (%s) port %d

TYPE %c

MDTM %s

CWD %s

PRET %s

PRET STOR %s

PRET RETR %s

REST %d

FTP response timeout

FTP response aborted due to select/poll error: %d

Preparing for accepting server on data port

Got a d ftp-server response when 220 was expected

unsupported parameter to CURLOPT_FTPSSLAUTH: %d

AUTH %s

ACCT rejected by server: d

PROT %c

Entry path is '%s'

QUOT command failed with d

MKD %s

Failed to MKD dir: d

dddddd

ddd d:d:d GMT

Last-Modified: %s, d %s M d:d:d GMT

unsupported MDTM reply format

Got a d response code instead of the assumed 200

PRET command not accepted: d

Failed to do PORT

RETR response: d

Failed FTP upload: 

Wildcard - START of "%s"

Wildcard - "%s" skipped by user

ftp_perform ends with SECONDARY: %d

Remembering we are in dir "%s"

Failure sending ABOR command: %s

server did not report OK, got %d

QUOT string not accepted: %s

PORT

%s IAC %s

%s IAC %d

%s %s %s

%s %s %d

%s %d %d

Sending data failed (%d)

%s IAC SB

%s (unsupported)

%d (unknown)

%c%c%c%c%s%c%c

%c%c%c%c

7[^,],7s

%c%s%c%s

USER,%s

7[^= ]%*[ =]%5s

Syntax error in telnet option: %s

Unknown telnet option %s

WSAStartup failed (%d)

insufficient winsock version to support telnet

failed to load WS2_32.DLL (%d)

failed to find WSACreateEvent function (%d)

failed to find WSACloseEvent function (%d)

failed to find WSAEventSelect function (%d)

failed to find WSAEnumNetworkEvents function (%d)

WSACreateEvent failed (%d)

WSAEnumNetworkEvents failed (%d)

WSACloseEvent failed (%d)

FreeLibrary(wsock2) failed (%d)

WS2_32.DLL

CLIENT libcurl 7.35.0

MATCH %s %s %s

DEFINE %s %s

LDAP local: LDAP Vendor = %s ; LDAP Version = %d

LDAP local: %s

LDAP local: Cannot connect to %s:%ld

LDAP local: ldap_simple_bind_s %s

LDAP remote: %s

There are more than %d entries

LDAP local: trying to establish %s connection

Couldn't open file %s

Can't open %s for writing

Can't get the size of %s

Received last DATA packet block %d again.

Received unexpected DATA packet block %d, expecting block %d

Timeout waiting for block %d ACK. Retries = %d

tftp_rx: internal error

set timeouts for state %d; Total %ld, retry %d maxtry %d

Received ACK for block %d, expecting %d

tftp_tx: giving up waiting for block %d ack

tftp_tx: internal error, event: %i

bind() failed; %s

%s%c%s%c

tftp_send_first: internal error

TFTP finished

TFTP response timeout

got option=(%s) value=(%s)

blksize is larger than max supported

%s (%d)

blksize is smaller than min supported

%s (%ld)

%s (%d) %s (%d)

invalid tsize -:%s:- value in OACK packet

TFTP

%cd

LIST "%s" *

FETCH %s BODY[%s]

LOGIN

LOGIN %s %s

AUTHENTICATE %s %s

AUTHENTICATE %s

No known authentication mechanisms supported!

IMAPS not supported!

Access denied: %d

APPEND %s (\Seen) {%I64d}

SELECT %s

LOGINDISABLED

STARTTLS not supported.

STARTTLS denied. %c

Access denied. %c

Authentication failed: %d

AUTH %s %s

POP3S not supported!

APOP %s %s

STLS not supported.

RCPT TO:%s

RCPT TO:<%s>

SMTPS not supported!

Got unexpected smtp-server response: %d

EHLO %s

HELO %s

Remote access denied: %d

Command failed: %d

MAIL failed: %d

RCPT failed: %d

DATA failed: %d

MAIL FROM:%s

MAIL FROM:%s AUTH=%s

MAIL FROM:%s AUTH=%s SIZE=%s

MAIL FROM:%s SIZE=%s

SMTP

Refusing to issue an RTSP request [%s] without a session ID.

Transport:

Transport: %s

Refusing to issue an RTSP SETUP without a Transport: header.

Range: %s

%s %s RTSP/1.0

Session: %s

%s%s%s%s%s%s

Unable to read the CSeq header: [%s]

Got RTSP Session ID Line [%s], but wanted ID [%s]

Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds

%%X

xxxx

%s:%s:%s

%s:%.*s

%s:%s:x:%s:%s:%s

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%.*s", cnonce="%s", nc=x, qop=%s, response="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%.*s", response="%s"

%s, opaque="%s"

%s, algorithm="%s"

SOCKS4 communication to %s:%d

SOCKS4 connect to %s (locally resolved)

Failed to resolve "%s" for SOCKS4 connect.

SOCKS4%s request granted.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.

User was rejected by the SOCKS5 server (%d %d).

SOCKS5 GSSAPI per-message authentication is not supported.

No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)

Failed to resolve "%s" for SOCKS5 connect.

Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)

Can't complete SOCKS5 connection to %s:%d. (%d)

Can't complete SOCKS5 connection to xx:xx:xx:xx:xx:xx:xx:xx:%d. (%d)

Establish HTTP proxy tunnel to %s:%hu

%s:%hu

%s%s%s:%hu

Host: %s

CONNECT %s HTTP/%s

%s%s%s%s

HTTP/1.%d %d

TUNNEL_STATE switched to: %d

Received HTTP code %d from proxy after CONNECT

login

password

operation aborted by callback

Read callback asked for PAUSE when not supported!

seek callback returned error %d

the ioctl callback returned %d

ioctl callback returned error %d

Rewinding stream by : %zd bytes on url %s (zero-length body)

Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)

HTTP server doesn't seem to support byte ranges. Cannot resume.

Simulate a HTTP 304 response!

Problem (%d) in the Chunked-Encoded data

Rewinding stream by : %zu bytes on url %s (size = %I64d, maxdownload = %I64d, bytecount = %I64d, nread = %zd)

Excess found in a non pipelined read: excess = %zu, size = %I64d, maxdownload = %I64d, bytecount = %I64d

No URL set!

[^?&/:]://%c

Issue another request to this URL: '%s'

Violate RFC 2616/10.3.2 and switch from POST to GET

Violate RFC 2616/10.3.3 and switch from POST to GET

Disables POST, goes with %s

Conn: %ld (%p) Receive pipe weight: (%I64d/%zu), penalized: %s

Site %s:%d is pipeline blacklisted

Server %s is not blacklisted

Server %s is blacklisted

d:d:d

d:d

%c%c==

%c%c%c=

------------------------xx

; filename="%s"

%s; boundary=%s

Content-Type: multipart/mixed, boundary=%s

Content-Type: %s

couldn't open file "%s"

--%s--

.jpeg

.html

0123456789-

%s xxxxxxxxxxxxxxxx

%s/%s

username="%s",realm="%s",nonce="%s",cnonce="%s",nc="%s",digest-uri="%s",response=%s

user=%s

auth=Bearer %s

%s near '%s'

%s near end of file

unable to decode byte 0x%x at position %d

control character 0x%x

invalid Unicode '\uX\uX'

invalid Unicode '\uX'

end == saved_text   lex->saved_text.length

unable to open %s: %s

\ux

\ux\ux

Assertion failed: (%s), file %s, line %d

M%p %d %s

M%p %d V=%0X B=%d t=%d o=%d C=%d R=%d H=%p %s

once %p is %d

T%p %d %s

T%p %d V=%0X H=%p %s

C%p %d %s

C%p %d V=%0X B=%d b=%p w=%ld %s

RWL%p %d %s

RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s

SHA-256 part of OpenSSL 1.0.1e 11 Feb 2013

%s(%d): OpenSSL internal error, assertion failed: %s

x509_pkey

evp_pkey

ssl_cert

ssl_sess_cert

Stack part of OpenSSL 1.0.1e 11 Feb 2013

error:lX:%s:%s:%s

passed a null parameter

x509 certificate routines

DSO support routines

dhKeyAgreement

challengePassword

extendedCertificateAttributes

nsCertExt

Netscape Certificate Extension

nsCertType

Netscape Cert Type

nsBaseUrl

Netscape Base Url

nsRevocationUrl

Netscape Revocation Url

nsCaRevocationUrl

Netscape CA Revocation Url

nsRenewalUrl

Netscape Renewal Url

nsCaPolicyUrl

Netscape CA Policy Url

nsCertSequence

Netscape Certificate Sequence

subjectKeyIdentifier

X509v3 Subject Key Identifier

keyUsage

X509v3 Key Usage

privateKeyUsagePeriod

X509v3 Private Key Usage Period

certificatePolicies

X509v3 Certificate Policies

authorityKeyIdentifier

X509v3 Authority Key Identifier

extendedKeyUsage

X509v3 Extended Key Usage

TLS Web Server Authentication

TLS Web Client Authentication

pbeWithSHA1And3-KeyTripleDES-CBC

pbeWithSHA1And2-KeyTripleDES-CBC

keyBag

pkcs8ShroudedKeyBag

certBag

localKeyID

x509Certificate

sdsiCertificate

id-smime-mod-msg-v3

id-smime-ct-publishCert

id-smime-aa-msgSigDigest

id-smime-aa-encrypKeyPref

id-smime-aa-signingCertificate

id-smime-aa-smimeEncryptCerts

id-smime-aa-ets-otherSigCert

id-smime-aa-ets-CertificateRefs

id-smime-aa-ets-certValues

id-smime-aa-ets-certCRLTimestamp

id-mod-qualified-cert-88

id-mod-qualified-cert-93

id-mod-attribute-cert

id-it-caProtEncCert

id-it-signKeyPairTypes

id-it-encKeyPairTypes

id-it-caKeyUpdateInfo

id-it-unsupportedOIDs

id-it-keyPairParamReq

id-it-keyPairParamRep

id-it-revPassphrase

id-regCtrl-oldCertID

id-regCtrl-protocolEncrKey

id-regInfo-certReq

id-cmc-getCert

id-cmc-confirmCertAcceptance

id-ecPublicKey

set-msgExt

set-certExt

certificate extensions

setct-AcqCardCodeMsg

setct-PCertReqData

setct-PCertResTBS

setct-CertReqData

setct-CertReqTBS

setct-CertResData

setct-CertInqReqTBS

setct-AcqCardCodeMsgTBE

setct-CertReqTBE

setct-CertReqTBEX

setct-CertResTBE

setCext-certType

setCext-cCertRequired

setAttr-Cert

set-rootKeyThumb

JOINT-ISO-ITU-T

joint-iso-itu-t

msSmartcardLogin

Microsoft Smartcardlogin

proxyCertInfo

Proxy Certificate Information

certicom-arc

certificateIssuer

X509v3 Certificate Issuer

id-PasswordBasedMAC

password based MAC

id-Gost28147-89-CryptoPro-KeyMeshing

id-Gost28147-89-None-KeyMeshing

LocalKeySet

Microsoft Local Key set

supportedApplicationContext

userPassword

userCertificate

cACertificate

certificateRevocationList

crossCertificatePair

supportedAlgorithms

anyExtendedKeyUsage

Any Extended Key Usage

lhash part of OpenSSL 1.0.1e 11 Feb 2013

[d:d:d]

%5lu file=%s, line=%d,

number=%d, address=lX

thread=%lu, file=%s, line=%d, info="

%ld bytes leaked in %d chunks

Big Number part of OpenSSL 1.0.1e 11 Feb 2013

bn(%d,%d)

ASN.1 part of OpenSSL 1.0.1e 11 Feb 2013

OPENSSL_Uplink(%p,X):

_matherr(): %s in %s(%g, %g) (retval=%g)

VirtualQuery failed for %d bytes at address %p

VirtualProtect failed with code 0x%x

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

unknown option -- %s

unknown option -- %c

option requires an argument -- %s

option requires an argument -- %c

GCC: (GNU) 4.8.2 20131016 (Fedora MinGW 4.8.2-1.fc20)

165342012350447

ReportEventA

PeekNamedPipe

_acmdln

_amsg_exit

GetProcessWindowStation

ldap_msgfree

ADVAPI32.dll

KERNEL32.dll

msvcrt.dll

USER32.dll

wldap32.dll

WS2_32.dll

"@"@"@"@

File: %ws, Line %u

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   vhlsuvb.exe:3788
   vhlsuvb.exe:1812
   qxuzlcfr13pkeya.exe:4264
   qxuzlcfr15fptya.exe:2676
   thvdtttcvct.exe:3408
   thvdtttcvct.exe:172
   qxuzlcfr13kphyabs8ogvf.exe:2412
   qxuzlcfr15i4mya.exe:4992
   %original file name%.exe:1064

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %System%\wfskmoeknsu\tst (10 bytes)
   %System%\wfskmoeknsu\cfg (373 bytes)
   %WinDir%\Temp\qxuzlcfr13pkeya.exe (35 bytes)
   %WinDir%\Temp\qxuzlcfr15i4mya.exe (35 bytes)
   %System%\vhlsuvb.exe (7433 bytes)
   %System%\wfskmoeknsu\aol\zip.exe (10500 bytes)
   %System%\win32mroclient.exe (27616 bytes)
   %System%\wfskmoeknsu\aol\exefile (14580 bytes)
   %System%\wfskmoeknsu\ihst (222 bytes)
   %System%\drivers\etc\hosts (100 bytes)
   %WinDir%\Temp\qxuzlcfr15fptya.exe (7433 bytes)
   %System%\wfskmoeknsu\run (10 bytes)
   %System%\wfskmoeknsu\aol\phantomjs.exe (183012 bytes)
   %System%\win64mroclient.exe (76437 bytes)
   %WinDir%\Temp\qxuzlcfr15g9cya.exe (1940 bytes)
   %System%\wfskmoeknsu\rng (32 bytes)
   %System%\wfskmoeknsu\etc (10 bytes)
   %System%\thvdtttcvct.exe (7433 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qxuzlcfr13kphyabs8ogvf.exe (5442 bytes)
   

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "KtmRm Protocol Files Internet" = "%System%\thvdtttcvct.exe"

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.