Trojan.NSIS.StartPage_7a23f4fbd1

by malwarelabrobot on October 25th, 2014 in Malware Descriptions.

not-a-virus:AdWare.Win32.OutBrowse.g (Kaspersky), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 7a23f4fbd149a6ee85622b5262e331f9
SHA1: bed8860b35489b9f3cadc9784775dda5e40d4f01
SHA256: 2637d72dd7ba9e5981b7b18b46693cb28f69e5269856d7ce54831af58a751f4e
SSDeep: 12288: JWAHm62SHXXX5QIDa6jJU4YAzCG98LtzYe9dh: JWX6t3XX5QIDa Ma8LtzYe9d
Size: 576552 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1440
wmic.exe:1820
mscorsvw.exe:1912

The Trojan injects its code into the following process(es):

bagcabebbbbe.exe:1848

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process bagcabebbbbe.exe:1848 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\button[1].png (458 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bodyImg[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\dc[1].js (1657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SeaAppWin8Chk[1].exe (3666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\91414099589\PreExe_ID_21659.exe (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\button_over[1].png (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DynamicOfferScreen[1].htm (2479 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\91414099589.aaa (0 bytes)

The process %original file name%.exe:1440 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\insHv3.exe (400457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx7F.tmp\rece.dll (4023 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\insHv3.bagcabebbbbe (8368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bagcabebbbbe.zip (57588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx7F.tmp\nsisunz.dll (211 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx7F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr7E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\insHv3.bagcabebbbbe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bagcabebbbbe.zip (0 bytes)

The process wmic.exe:1820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\91414099589.aaa (238 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\91414099589.aaa (0 bytes)

Registry activity

The process bagcabebbbbe.exe:1848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E C5 53 AC F7 21 73 D6 3C F5 4F 09 73 69 79 7A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D BE DB D0 70 05 0C 55 7B 91 2D 30 4D 13 E2 D6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process wmic.exe:1820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 66 26 35 BE FF 4D 28 ED D1 4C D5 6D 3E 00 50"

The process mscorsvw.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "2340000"

Dropped PE files

MD5 File path
6bf9db0e306ffa8ab340cd9cc925455d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\91414099589\PreExe_ID_21659.exe
7be2fdc39504208113dca487672cc967 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\bagcabebbbbe.exe
5f13dbc378792f23e598079fc1e4422b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx7F.tmp\nsisunz.dll
d2a73babcc0efc716b318b3fbe49dd72 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx7F.tmp\rece.dll
6bf9db0e306ffa8ab340cd9cc925455d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SeaAppWin8Chk[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: SpyHunter 4.6.1.3664
Product Version: 1.20.12.1
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 36864 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 229376 8464 8704 3.94471 f3bf963f38b7a22297a0fbc7d67a44b5

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 23
b076ee6b39267e5791b9ece9c800c0fe
63c687e59f25684d0666937e58e9b801
1d3d48a736a29c17678588920f27fc18
2fb56116ff36e9a054beae5cafc12830
e76dc6ff840604dffaddfbcbf01fb1df
2b234db5f75b8829c14adfa19ecfd271
71aeeec8fa2d30eadf202c96c5dff243
098deca64b69fb19aa789aa29881e811
d9d0a8cb7714ec3065fd61d54e81ea3f
9edbac7ebf40471d81054abd050c78c0
ea528e9070fce85640bf08060778e2be
d1fe1e89e3883145785161fc9b8e1976
4aca4b281fce38d0addb52b1ff35a4a5
e47c4170098b33c820111950761754a7
a51efe9f4cf9546afbad15ed428490fa
4095d55e60900b21294ae57279849a19
207adad065775708d855dde1d28b47b8
a5235187613a73c66cf5f7cafbf6c582
91b2499dd51cfba7a25e2b385a9a48a6
7b5d765ec9d8eb19bdcc30e8986119ea
cf35a414771461cb893145fa181d8e80
671662c9f3a475284e77be75bc01678d
4ce07ef2a626f8301f305a974b916826

URLs

URL IP
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/Installer/seaApp/SeaAppWin8Chk.exe
hxxp://smartinstaller.elasticbeanstalk.com//offers/DynamicOfferScreen?offerid=5&distid=19421&leadp=18584&countryid=71&sysbit=32&imgurl=&cookieproductname=83-112-121-72-117-110-116-101-114-37-50-48-52-46-54-46-49-46-51-54-54-52&dfb=0&hb=2&external=0&
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/topLine.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/bgImg.jpg
hxxp://stats.l.doubleclick.net/dc.js
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/topComp.png
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/bodyImg.png
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/bottomLine.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/nextCase.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/button_over.png
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/button.png
hxxp://static.revenyou.com/offers/images/Theme8/button.png 198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme8/bgImg.jpg 198.232.124.224
hxxp://xml.the-app-info.com//offers/DynamicOfferScreen?offerid=5&distid=19421&leadp=18584&countryid=71&sysbit=32&imgurl=&cookieproductname=83-112-121-72-117-110-116-101-114-37-50-48-52-46-54-46-49-46-51-54-54-52&dfb=0&hb=2&external=0& 23.21.72.37
hxxp://cdn.download4desktop.com/Installer/seaApp/SeaAppWin8Chk.exe 198.232.124.192
hxxp://static.revenyou.com/offers/images/Theme8/topLine.jpg 198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme8/button_over.png 198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme8/bottomLine.jpg 198.232.124.224
hxxp://stats.g.doubleclick.net/dc.js 64.233.171.156
hxxp://static.revenyou.com/offers/images/Theme8/topComp.png 198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme8/bodyImg.png 198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme8/nextCase.jpg 198.232.124.224


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /Installer/seaApp/SeaAppWin8Chk.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.download4desktop.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 24 Oct 2014 02:31:20 GMT
Content-Type: application/octet-stream
Content-Length: 49666
Connection: keep-alive
x-amz-id-2: npf2Uh0XEDtfD/wLDvT1iP45u8XDna1vs0XuYlfpRWFHGUxtdUNweCyl DUW3wxD
x-amz-request-id: B17D6149D41DAF11
Last-Modified: Tue, 23 Sep 2014 06:22:01 GMT
ETag: "6bf9db0e306ffa8ab340cd9cc925455d"
Server: NetDNA-cache/2.2
Content-Disposition: attachment
X-Cache: HIT
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
.................................................................t....
......hC..............................................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@[email protected]\......
.....v..............@....ndata...................................rsrc.
..hC.......D...z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>


GET /offers/images/Theme8/topLine.jpg HTTP/1.1
Accept: */*
Referer: hXXp://xml.the-app-info.com//offers/DynamicOfferScreen?offerid=5&distid=19421&leadp=18584&countryid=71&sysbit=32&imgurl=&cookieproductname=83-112-121-72-117-110-116-101-114-37-50-48-52-46-54-46-49-46-51-54-54-52&dfb=0&hb=2&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Date: Fri, 24 Oct 2014 02:31:23 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>......
<<< skipped >>>

GET /offers/images/Theme8/topComp.png HTTP/1.1


Accept: */*
Referer: hXXp://xml.the-app-info.com//offers/DynamicOfferScreen?offerid=5&distid=19421&leadp=18584&countryid=71&sysbit=32&imgurl=&cookieproductname=83-112-121-72-117-110-116-101-114-37-50-48-52-46-54-46-49-46-51-54-54-52&dfb=0&hb=2&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Date: Fri, 24 Oct 2014 02:31:23 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>......
<<< skipped >>>

GET /offers/images/Theme8/nextCase.jpg HTTP/1.1


Accept: */*
Referer: hXXp://xml.the-app-info.com//offers/DynamicOfferScreen?offerid=5&distid=19421&leadp=18584&countryid=71&sysbit=32&imgurl=&cookieproductname=83-112-121-72-117-110-116-101-114-37-50-48-52-46-54-46-49-46-51-54-54-52&dfb=0&hb=2&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Date: Fri, 24 Oct 2014 02:31:23 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>......
<<< skipped >>>

GET /offers/images/Theme8/button.png HTTP/1.1


Accept: */*
Referer: hXXp://xml.the-app-info.com//offers/DynamicOfferScreen?offerid=5&distid=19421&leadp=18584&countryid=71&sysbit=32&imgurl=&cookieproductname=83-112-121-72-117-110-116-101-114-37-50-48-52-46-54-46-49-46-51-54-54-52&dfb=0&hb=2&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 24 Oct 2014 02:31:23 GMT
Content-Type: image/png
Content-Length: 458
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Mon, 05 Aug 2013 17:21:12 GMT
ETag: "1b5642f092ce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Fri, 31 Oct 2014 02:31:23 GMT
X-Cache: HIT
Accept-Ranges: bytes
.PNG........IHDR...Y............m....tEXtSoftware.Adobe ImageReadyq.e&
lt;...lIDATx...1..p....at.`...[_)...&.........~...C..V$z.J.w.Wi.......
.../..<........R.H)s..i....t.....}2M...9i.&..(..c.....l.&.0`.&a..f.
..p...R.Jr....bA....$.....cr....u....sq..x....?..> ..pu`.h..C......
.$w$..gY. .....%9MS...V.....IF'..0].;..HF..]b..Hr..pW...k..{..EQD.....
-L.....#..H.u.. ..lF....j".,<........<. ......18....\.....oI...^
.....:..._......rU.<Z`..d..E.|.0.......B.....IEND.B`...



GET //offers/DynamicOfferScreen?offerid=5&distid=19421&leadp=18584&countryid=71&sysbit=32&imgurl=&cookieproductname=83-112-121-72-117-110-116-101-114-37-50-48-52-46-54-46-49-46-51-54-54-52&dfb=0&hb=2&external=0& HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xml.the-app-info.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Fri, 24 Oct 2014 02:31:34 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 11964
Connection: keep-alive
<html>.    <head>.      <title>5 - NonProduct (Gisgt
 Download Manager)</title><script type='text/javascript'>v
ar _gaq = _gaq || [];_gaq.push(['_setAccount', 'UA-37348037-1']);_gaq.
push(['_setDomainName', 'ppdownload.com']);_gaq.push(['_setAllowLinker
', true]);..                                            _gaq.push(['_t
rackPageview']);..                                            (functio
n() {..                                              var ga = document
.createElement('script'); ga.type = 'text/javascript'; ga.async = true
;..                                              ga.src = ('https:' ==
 document.location.protocol ? 'hXXps://' : 'hXXp://')   'stats.g.doubl
eclick.net/dc.js';..                                              var 
s = document.getElementsByTagName('script')[0]; s.parentNode.insertBef
ore(ga, s);..                                            })();</scr
ipt><style type='text/css'>body      {          width:100%; h
eight:100%; margin:0px; padding:0px; font-size:font-family:helvetica; 
font-size:12px;}   .divLeadpName      {         border-bottom-style:gr
oove;border-bottom-width: thin; padding-left:61px; padding-top:9px; fo
nt-size:font-family:helvetica; font-style:italic; font-size:25px;     
            font-weight:bold; color:black; position:absolute;   width:
 100%; background-color: #fff; ba}   #divTop         {display: none}  
#divMiddle      {background-color: #efecec; height: 100%;} #middle    
{background-color: #fff;} .divOnNext      {          position:abso
<<< skipped >>>


GET /offers/images/Theme8/bgImg.jpg HTTP/1.1
Accept: */*
Referer: hXXp://xml.the-app-info.com//offers/DynamicOfferScreen?offerid=5&distid=19421&leadp=18584&countryid=71&sysbit=32&imgurl=&cookieproductname=83-112-121-72-117-110-116-101-114-37-50-48-52-46-54-46-49-46-51-54-54-52&dfb=0&hb=2&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Date: Fri, 24 Oct 2014 02:31:23 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>......
<<< skipped >>>

GET /offers/images/Theme8/bodyImg.png HTTP/1.1


Accept: */*
Referer: hXXp://xml.the-app-info.com//offers/DynamicOfferScreen?offerid=5&distid=19421&leadp=18584&countryid=71&sysbit=32&imgurl=&cookieproductname=83-112-121-72-117-110-116-101-114-37-50-48-52-46-54-46-49-46-51-54-54-52&dfb=0&hb=2&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 24 Oct 2014 02:31:23 GMT
Content-Type: image/png
Content-Length: 1914
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Mon, 05 Aug 2013 10:27:32 GMT
ETag: "36dd864c691ce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Fri, 31 Oct 2014 02:31:23 GMT
X-Cache: HIT
Accept-Ranges: bytes
.PNG........IHDR.......:.....j.......sRGB.........gAMA......a.... cHRM
..z&..............u0...`..:....p..Q<...0PLTE.......................
.........................{.......IDATx......:..`..p..J.4.ty.:......)v.
.\....,.fwv..U...!.....b.f.....Cy(..OW......w......]R..l..2My}<..].
.8hn{*..X.).m..4w.U.J.....u..l.J...<...>uJ.....i.>o.%......I.
\..S......U.D.}OK..J`......sJ`.}..M.9%..A....u.T.%........K....OQ..._.
.d.>..L....]I. U.].c.Je...|.W.U?..E.}...*.vZ...K...M....).W...^V..&
gt;).e(.].Z.}dg%@....S.*/...........Y.W.]}...|.SgO........rrj...4UY../
..r.~.....Z.ep.wui.sP^..X.g%$(.......C........Ze....4yn}....U.({.V..{o
..}O...w.G.Q.^..r..p....0y............8......6.v....zz~....-...F*..f.F
]...R..*. -......e{mO.s.i.9.U....zz.6.f.T>.f.DQ%.. ...l.q\N."eA({_W
7..Q.....d........>...Y.."e.\....s,.. .Li)%....R.o.....C.9wQ....8..
......KNY..t..)...k...v)P*.....I...4&../.{)..qe..R.'...2..*..d.z&.T;y.
.)Q*....)R..2..)Tj.B..)V..b..)W......QB!rj.B.J)..N)b*...R)q..<S...z
%.LPr..%.LQ2.4e.....q&*c.De,..J.x& ig...g..b.(.g..p.)Qf..uf*1g..af .Y.
..... .;(.....s......r.v. ...s'...K.0wS.....sG%.......-.R..}......4S..
...W.....=.9eN(..OS..Jt(...<...P.(..DJ;_)..Y. ..7.>[email protected])e
M.qi;...........$.z%.[..P...SJzT*E]......2zT.t..L%6.TJ..Y.a...}.V..J..
.,.....H... ....;..2_._/[.^/[.\.W.\.!..%oT*y.Z....#Q.Bw.FI.7...H..2Jt.
*..../........2.F..X.....gqJ.q:.U.q.. V...B..s.(.J2.x..()#1@.'d4.Hh.h.
J.I.i.G.#.;.J....*Q$Z..?.........sR..D.<...| ......2.1b.A3...v.....
X.y{..R....{h..pzJ.I.).Y..Kn.z;%Jn..c.W...bL........t..!...A..(..*
<<< skipped >>>

GET /offers/images/Theme8/bottomLine.jpg HTTP/1.1


Accept: */*
Referer: hXXp://xml.the-app-info.com//offers/DynamicOfferScreen?offerid=5&distid=19421&leadp=18584&countryid=71&sysbit=32&imgurl=&cookieproductname=83-112-121-72-117-110-116-101-114-37-50-48-52-46-54-46-49-46-51-54-54-52&dfb=0&hb=2&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Date: Fri, 24 Oct 2014 02:31:23 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>......
<<< skipped >>>

GET /offers/images/Theme8/button_over.png HTTP/1.1


Accept: */*
Referer: hXXp://xml.the-app-info.com//offers/DynamicOfferScreen?offerid=5&distid=19421&leadp=18584&countryid=71&sysbit=32&imgurl=&cookieproductname=83-112-121-72-117-110-116-101-114-37-50-48-52-46-54-46-49-46-51-54-54-52&dfb=0&hb=2&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 24 Oct 2014 02:31:23 GMT
Content-Type: image/png
Content-Length: 921
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Mon, 05 Aug 2013 17:21:05 GMT
ETag: "f072da2a092ce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Fri, 31 Oct 2014 02:31:23 GMT
X-Cache: HIT
Accept-Ranges: bytes
.PNG........IHDR...Y............m....tEXtSoftware.Adobe ImageReadyq.e&
lt;...;IDATx..Z;o.1..Y.D...W."$=D..*[email protected].
...........;..N.h..=.|..x6..f..pf...n...yX...>z......`87.3...t.e:.s
h..e..z.A....G.p..IZ.z...?Ra8........Y......O.......[[email protected].
...y..-.....Lc.0......O..|z.O/...k.....e...n..!......G.p...9....3. .'?
7 ..GD@..{.<....C$....N.........Q...<.,@...].;Q.'<.(.X.r.,.6.
......QrB..h..d&r....6....G..Shr.... .....4r..= ..f.....B.qP..l.K.....
...YB.Z....H....../:.l.(.S.D...nM7..P.%R........&_uR.H6A..(raP.H9...[\
D. .(....d...`.8.A......r5Q..........:v.e....u.....-&.1.....&.........
Z.|....).L...$....)K%a-....b..a*{<(W..P<..w7_Z.....h.%6.N.......
.*\FB...A...#..f.N...C..(.p...........K.|..5d..3u-........(.k. 7..6..t
svP!.U0.q.......9z.e [email protected]............. .>=...{WVim...
.f.c6.:...|.....0X.yk...../z..!.SHW.d......o.s........a..8..g.|zvg...o
[email protected].^......IEND.B`...



GET /dc.js HTTP/1.1
Accept: */*
Referer: hXXp://xml.the-app-info.com//offers/DynamicOfferScreen?offerid=5&distid=19421&leadp=18584&countryid=71&sysbit=32&imgurl=&cookieproductname=83-112-121-72-117-110-116-101-114-37-50-48-52-46-54-46-49-46-51-54-54-52&dfb=0&hb=2&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: stats.g.doubleclick.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 24 Oct 2014 01:16:16 GMT
Expires: Fri, 24 Oct 2014 03:16:16 GMT
Last-Modified: Fri, 03 Oct 2014 00:48:42 GMT
X-Content-Type-Options: nosniff
Content-Type: text/javascript
Vary: Accept-Encoding
Content-Encoding: gzip
Server: Golfe2
Content-Length: 15833
Cache-Control: public, max-age=7200
Age: 4507
Alternate-Protocol: 80:quic,p=0.01
...........={_.:...)....'.$..&.......-..Ms..e9..'...B.g.3#..........3z
?F........z....n.h..@&b.....v.W.A"...<8H.^.....A*......3....~..X?8.
...<..t..)d.......Hf.Q...._. .,`.....a....>...?...v.Aq.G........
.p.........a$y&.....sX7p........ ..M.d..l.K.....t...8..i6....C..XO....
.@....!.....RG.l .}....b$c..B|8..C}!.8..=.e.K....{..K.9..a..nx......%.
.;..F...J...v..n!.L.....g.C@...~..|...=....q.9n_...P.....Tw.o.........
..k.....^:.....O!..b......=...B..,..j8......k.b./.Y..JE...({k.........
(.L..@. ...b;...s.f...k../--..\..A.M..he.q..u.u.$..<.....$......eBf
....,...r{.[.....h....Tup..$?F?2.... .qk...x..;.......}.Y.[)jL........
.}.4.'..Z_...bms.._..I4.r=...f....U}...|......].FG..\.[9...hp......"..
L..J...a..l.=.C..c.............i..2&.......{....T*w..%#ey....A..`.T..Q
.w.....f2...,....J...y.qqA.........BTo....5.W..9]...]b$K%Z.V..b..x1t..
..]..&.P.Qo.A?..W.R..l.........'".. ..D. ..EA.......$US.t...w?.u*rn.:.
.....?...a,.(..0....`.GL....Z...j[8.[.2k8N...4(.x..4j&..V..p.N)0.;k...
....C..= .].;M.|..&..;........M'....Vy.6*..[J.7`n*...Q..O.%4T ...;....
.'J.........xKK.&..^A...;...........a<.783[X......p...c...3j$.....Z
....c.D.....BW................*.1]KQ].zb.... .?~....V>&."..Q$.....&
.sS..Kq........).....{y.V....T...L.09.-.KK:..yH.....4./..Ni.oaM..X..X.
R...l...[...n2.....6.v.Q.......v.C.0........55..z]__.a.j...fJh.....r.6
a.6v3..!.}^0...,...I.w........i.......Q..q ..c;2.p2 .%..:0..14....z...
.b.*Z..*..>...v].....H...V...kVT.]....I ...._..}.f.....^U..a.V]..wd
.N.....9....n1-0..`...B..Q.MB...7...%.!.L~.."H..xNV`?||.H.........
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1440:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\bagcabebbbbe.exe /PID=13481 /SUBPID=0 /NETWORKID=1 /DISTID=19421 /CID=0 /PRODUCT_ID=18584 /SERVER_URL=`omn7).`ip`[o're_,]pnn%ok_`e-_ok /CLICKID= /D1=-1 /D2=-1 /D3=-1 /D4=-1 /D5=-1 /PRODUCT_PRIVACY= /PRODUCT_EULA= /PRODUCT_NAME=KkrFrhsar#-(/'4  -/64/ /EXE_URL=`omn7).swu)]ibej[rkfrrYm^,`il dmrfgh_aYr_ali]m(ckcfiaqj^op_o_-_ok*KkrFrhsar Dfnm_ifdn.cs] /EXE_CMDLINE= /HOST_BROWSER=2 /THANKYOU_URL= /TIME=1412581268 /VM=2 /DS1= /RUNTIME_WELCOMEIMAGEURL= /IS_RUNTIME=true /RETURNING_USER_DAYS=2 /HIDEX=1 /IS_DYNAMIC_ENCRYPTED=true
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\insHv3.exe->C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\bagcabebbbbe.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\bagcabebbbbe.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\insHv3.exe
sisunz.dll
1.2.2
Extract: %f
%u byte%c
(%u byte%c)
%d.%d%d Ë%c
inflate 1.2.2 Copyright 1995-2004 Mark Adler
GetProcessHeap
nsisunz.dll
operator
GetProcessWindowStation
portuguese-brazilian
.MGV3'
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\bagcabebbbbe.zip
bagcabebbbbe.zip
BAGCAB~1.ZIP
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx7F.tmp
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr7E.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx7F.tmp
/PID=13481 /SUBPID=0 /NETWORKID=1 /DISTID=19421 /CID=0 /PRODUCT_ID=18584 /SERVER_URL=`omn7).`ip`[o're_,]pnn%ok_`e-_ok /CLICKID= /D1=-1 /D2=-1 /D3=-1 /D4=-1 /D5=-1 /PRODUCT_PRIVACY= /PRODUCT_EULA= /PRODUCT_NAME=KkrFrhsar#-(/'4  -/64/ /EXE_URL=`omn7).swu)]ibej[rkfrrYm^,`il dmrfgh_aYr_ali]m(ckcfiaqj^op_o_-_ok*KkrFrhsar Dfnm_ifdn.cs] /EXE_CMDLINE= /HOST_BROWSER=2 /THANKYOU_URL= /TIME=1412581268 /VM=2 /DS1= /RUNTIME_WELCOMEIMAGEURL= /IS_RUNTIME=true /RETURNING_USER_DAYS=2 /HIDEX=1 /IS_DYNAMIC_ENCRYPTED=true
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
WUSER32.DLL
00000000
SpyHunter 4.6.1.3664
1.20.12.1

bagcabebbbbe.exe_1848:

.text
`.rdata
@.data
.rsrc
@.reloc
.CGy,
SShd9J
<9%u3
FTPj
YPSSSh
,4,56,789
xSSSh
FTPjKS
FtPj;S
C.PjRV
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
%d/%d/%d %d:%d:%d
X:X:X:X:X:X
large file support is disabled
unknown operation
SQL logic error or missing database
foreign_keys
sqlite_compileoption_get
sqlite_compileoption_used
sqlite_log
sqlite_source_id
sqlite_version
sqlite_attach
sqlite_detach
sqlite_stat1
sqlite_rename_parent
sqlite_rename_trigger
sqlite_rename_table
GetProcessHeap
RowKey
3.7.16.2
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
922337203685477580
SQLITE_
?API call with %s database connection pointer
OsError 0x%x (%u)
os_win.c:%d: (%d) %s(%s) - %s
delayed %dms for lock/sharing conflict
%s\etilqs_
%s\%s
cannot limit WAL size: %s
2nd reference to page %d
invalid page number %d
%s(%d)
keyinfo(%d
%r %s BY term out of range - should be between 1 and %d
Expression tree is too large (maximum depth %d)
too many SQL variables
variable number must be between ?1 and ?%d
too many columns in %s
%s OR name=%Q
type='trigger' AND (%s)
table %s may not be altered
sqlite_
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
duplicate column name: %s
too many columns on %s
DELETE FROM %Q.%s WHERE %s=%Q
sqlite_stat%d
unknown column "%s" in foreign key definition
number of columns in foreign key does not match the number of columns in the referenced table
foreign key on %s should reference only one column of table %T
a JOIN clause is required before %s
cannot modify %s because it is a view
table %s may not be modified
Cforeign key mismatch - "%w" referencing "%w"
error during initialization: %s
no entry point [%s] in shared library [%s]
unable to open shared library [%s]
sqlite3_extension_init
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
%s:%d
no such index: %s
SCAN TABLE %s %s%s(~%d rows)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
sqlite_master
sqlite_temp_master
vtable constructor did not declare schema: %s
vtable constructor failed: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
%s (~%lld rows)
%s VIRTUAL TABLE INDEX %d:%s
%s (rowid<?)
%s (rowid>?)
%s (rowid>? AND rowid<?)
%s (rowid=?)
%s USING INTEGER PRIMARY KEY
%s USING %s%sINDEX%s%s%s
%s AS %s
%s TABLE %s
%s SUBQUERY %d
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
foreign key constraint failed
unable to use function %s in the requested context
zeroblob(%d)
CREATE TABLE %Q.%s(%s)
%s %T cannot reference objects in database %s
default value of column [%s] is not constant
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
no such collation sequence: %s
%s - %s
malformed database schema (%s)
cannot join using column %s - column not present in both tables
cannot have both ON and USING clauses in the same join
a NATURAL join may not have an ON or USING clause
%s.%s
%s-shm
bind on a busy prepared statement: [%s]
%s: %s
%s: %s.%s
%s: %s.%s.%s
misuse of aliased aggregate %s
not authorized to use function: %s
too many terms in %s BY clause
EXECUTE %s%s SUBQUERY %d
%.*s"%w"%s
%s%.*s"%w"
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
Cannot add a PRIMARY KEY column
invalid name: "%s"
automatic extension loading failed: %s
d-d-d d:d:d
d:d:d
d-d-d
M@d
SELECTs to the left and right of %s do not have the same number of result columns
LIMIT clause should come after %s not before
ORDER BY clause should come after %s not before
BmTindexed columns are not unique
Recovered %d frames from WAL file %s
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Failed to read ptrmap key=%d
failed to get page %d
%d of %d pages missing from overflow list starting at %d
freelist leaf count too big on page %d
Fragmentation of %d bytes reported as %d on page %d
Multiple uses for byte %d of page %d
Corruption detected in cell %d on page %d
On page %d at right child:
On tree page %d cell %d:
btreeInitPage() returns error code %d
unable to get the page. error code=%d
Page %d:
Outstanding page count goes from %d to %d during this analysis
Pointer map page %d is referenced
Page %d is never used
sqlite3_get_table() called with two or more incompatible queries
no such vfs: %s
%s mode not allowed: %s
no such %s mode: %s
MJ delete: %s
-mjX9X
MJ collide: %s
%s-mjXXXXXX9XXz
database %s is locked
cannot detach database %s
no such database: %s
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
unknown database: %s
unknown database %s
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
PRIMARY KEY must be unique
constraint %s failed
%s.%s may not be NULL
database schema is locked: %s
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
PRAGMA vacuum_db.synchronous=OFF
cannot VACUUM - SQL statements in progress
misuse of aggregate: %s()
constraint failed at %d in [%s]
abort at %d in [%s]: %s
database table is locked: %s
cannot change %s wal mode from within a transaction
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot commit transaction - SQL statements in progress
cannot release savepoint - SQL statements in progress
no such savepoint: %s
cannot open savepoint - SQL statements in progress
statement aborts at %d: [%s] %s
cannot use index: %s
at most %d tables in a join
cannot open value of type %s
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
unsupported file format
no such trigger: %S
unable to open database: %s
database %s is already in use
too many attached databases - max %d
sqlite_sequence
there is already an index named %s
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
no such index: %S
unable to identify the object to be reindexed
no such table: %s
%s.%s.%s
too many references to "%s": max 65535
sqlite_subquery_%p_
cannot create INSTEAD OF trigger on table: %S
cannot create %s trigger on view: %S
cannot open %s column for writing
no such column: "%s"
indexed
foreign key
cannot open view: %s
cannot open virtual table: %s
sqlite_altertab_%s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
CREATE%s INDEX %.*s
table %s has no column named %s
sqlite_autoindex_%s_%d
index %s already exists
there is already a table named %s
virtual tables may not be indexed
views may not be indexed
table %s may not be indexed
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
table "%s" has more than one primary key
CREATE TABLE %Q.sqlite_sequence(name,seq)
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE %s %.*s
view %s is circularly defined
table %S has no column named %s
%d values for %d columns
table %S has %d columns but %d values were supplied
*** in database %s ***
unsupported encoding: %s
foreign_key_check
foreign_key_list
no such column: %s
there is already another table or index with this name: %s
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
view %s may not be altered
-- TRIGGER %s
use DROP VIEW to delete view %s
use DROP TABLE to delete table %s
table %s may not be dropped
sqlite_stat
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
Error %d has occurred.
Error %u in WinHttpReadData.
Error %u in WinHttpQueryDataAvailable.
Visual C   CRT: Not enough memory to complete call to strerror.
portuguese-brazilian
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
GetProcessWindowStation
WinHttpCloseHandle
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpOpenRequest
WinHttpConnect
WinHttpCrackUrl
WinHttpSetTimeouts
WinHttpOpen
WINHTTP.dll
PSAPI.DLL
KERNEL32.dll
EnumChildWindows
CreateDialogIndirectParamW
USER32.dll
GDI32.dll
RegOpenKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegCloseKey
RegQueryInfoKeyW
RegEnumKeyExW
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
ole32.dll
OLEAUT32.dll
URLDownloadToFileW
urlmon.dll
IPHLPAPI.DLL
GetCPInfo
.?AV?$CAtlExeModuleT@VCSmartInstallerModule@@@ATL@@
.?AVCWebPage@@
zcÁ
{A0386B19-B7E7-4BE7-B567-ABF77CBB6E60} = s `ATLExeServer'
`ATLExeServer.EXE'
val AppID = s {A0386B19-B7E7-4BE7-B567-ABF77CBB6E60}
ForceRemove {FA20B59B-21AA-44FC-8A68-450979B7CC90} = s 'CBrowserExternals Class'
val ServerExecutable = s '%MODULE_RAW%'
TypeLib = s '{03771AEF-400D-4A13-B712-25878EC4A3F5}'
ForceRemove {622D38AD-B4A9-4170-8192-5B865C6A5DCE} = s 'CBrowserExternalImp Class'
ForceRemove {6D4506CE-F855-4657-AA38-DB6B1F733982} = s 'CBrowserExternal Class'
stdole2.tlbWWW
~cmdWd
OpenUrlW
urlWd
method OpenUrl
Created by MIDL version 7.00.0555 at Sun Sep 21 09:07:07 2014
<BUTTON onclick='window.external.OnClick(theBody, "red");'>Red</BUTTON>
<BUTTON onclick='window.external.OnClick(theBody, "green");'>Green</BUTTON>
<BUTTON onclick='window.external.OnClick(theBody, "blue");'>Blue</BUTTON>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
151;1_1|1
7|7
?#?'? ?/?3?7?
1<3
5 5$5(5,585<5
9 9$9(9,909
? ?$?(?,?0?
1 1(101<1`1
9 9@9`9|9
6 6$6(6,6064686
Advapi32.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
gRUNTIME_WELCOMEIMAGEURL
THANKYOU_URL
EXE_CMDLINE
EXE_URL
SERVER_URL
execmdline
exeurl
\Microsoft\Windows\Cookies
cookies.sqlite
sqlite
\Mozilla\Firefox\Profiles
Found cookie in Chrome!
SELECT value,last_access_utc FROM cookies WHERE host_key LIKE '%
\..\Local Settings\Application Data\Google\Chrome\User Data\Default\
\..\Local\Google\Chrome\User Data\Default\
Chrome_WidgetWin_1
Exception opening/reading chrome cookies
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
OLEACC.DLL
SELECT url FROM moz_places WHERE url LIKE '%
places.sqlite
\PreExe_ID_
\default.html
Safari.exe
Opera.exe
firefox
chrome
http\shell\open\command
Opera.HTML
IE.AssocFile.HTM
FirefoxHTML
ChromeHTML
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
Software\Mozilla\Mozilla FireFox
SOFTWARE\Mozilla\Mozilla FireFox
SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}
virtualoffercmd
\PostCheck.exe
opera
&welcomeimgurl=
&chromev=
CHROMEVERSION
@@exeurl
AntivirusesRegKeys
RegKey64
RegKey32
PostExe
PreExe
ReportName
RegKey
ExeURL2
ExeURL
OfferURL
{A33DE4AA-9646-4E33-9E44-E472C6312E2F}
OLEAUT32.DLL
Mscoree.dll
888816666554443
6666554443
!6666554443
virtualoffercmd:
download.exe
Download.exe
/REPORTURL=
_2nd.exe
VirtualOfferCmd
VirtualOfferCMD
VIRTUALOFFERCMD
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
KKERNEL32.DLL
WUSER32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\bagcabebbbbe.exe
{8856F961-340A-11D0-A96B-00C04FD705A2}


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1440
    wmic.exe:1820
    mscorsvw.exe:1912

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\button[1].png (458 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bodyImg[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\dc[1].js (1657 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SeaAppWin8Chk[1].exe (3666 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\91414099589\PreExe_ID_21659.exe (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\button_over[1].png (921 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DynamicOfferScreen[1].htm (2479 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\insHv3.exe (400457 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx7F.tmp\rece.dll (4023 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\insHv3.bagcabebbbbe (8368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bagcabebbbbe.zip (57588 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx7F.tmp\nsisunz.dll (211 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\91414099589.aaa (238 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now