Gen.Variant.Application.Bundler.AirInstaller.4_a6517c986c
Gen:Variant.Application.Bundler.AirInstaller.4 (BitDefender), not-a-virus:AdWare.Win32.AirAdInstaller.emlr (Kaspersky), AirInstaller (fs) (VIPRE), Adware.Downware.10718 (DrWeb), Gen:Variant.Application.Bundler.AirInstaller.4 (B) (Emsisoft), Artemis!A6517C986C8F (McAfee), Trojan.Gen.2 (Symantec), AdWare.AirAdInstaller (Ikarus), Gen:Variant.Application.Bundler (FSecure), Win32:AirInstaller-A [PUP] (AVG), Win32:AirInstaller-A [PUP] (Avast), Gen:Variant.Application.Bundler.AirInstaller.4 (AdAware), Trojan.Win32.Swrort.3.FD, PUPAirInstaller.YR (Lavasoft MAS)
Behaviour: Trojan, Installer, PUP, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Requires JavaScript enabled! |
---|
MD5: a6517c986c8f77a611fc452773b9ec7f
SHA1: eeb324e85c1b3000a889e266297c3e62edefa716
SHA256: 2a7c2c6e83c0a847cc87e6565f065a5799d718baeecbd8b06f8abc8ad9371097
SSDeep: 24576:eB2oxyXgCxY6o7YfEQPKzd17Cyf mdMswKpJVHkLsvwAUuBaaRikjP:4hku6Zf3EdP md5w2VGesOL
Size: 1116584 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-06-26 01:01:12
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:4000
The Trojan injects its code into the following process(es):
setup.exe:3320
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process setup.exe:3320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\104[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HtOauIPPZi\intro_page.html (1376 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018040920180410\index.dat (16 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101120171012\index.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101120171012 (0 bytes)
The process %original file name%.exe:4000 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\setup.exe (7596 bytes)
The Trojan deletes the following file(s):
C:\%original file name%.exe (0 bytes)
Registry activity
The process setup.exe:3320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018040920180410]
"CacheLimit" = "8192"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"MaxFileSize" = "1048576"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{E549E976-C5F2-4E77-819D-55BC9B7C25BC}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018040920180410]
"CachePath" = "%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018040920180410"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASAPI32]
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018040920180410]
"CacheOptions" = "11"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASAPI32]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018040920180410]
"CacheRepair" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0C 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASAPI32]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018040920180410]
"CachePrefix" = ":2018040920180410:"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASAPI32]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"FileTracingMask" = "4294901760"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017101120171012]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name: AirInstaller Inc.
Product Name: Java Runtime
Product Version: 2.0.4.6
Legal Copyright: (c) AirInstaller. All rights reserved.
Legal Trademarks:
Original Filename: AirInstaller.exe
Internal Name: AirInstaller.exe
File Version: 2.0.4.6
File Description: Java Runtime
Comments:
Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 1323008 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 1327104 | 1101824 | 1098752 | 5.38961 | 71fb2366905efe07a6b443e2e3370fe4 |
.rsrc | 2428928 | 12288 | 11776 | 3.09804 | c839918734002bff197ddfd9c6e8cd51 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 303
f57e2889775b1faf269d89e58f0e1f4f
83e2e01cd5077d63e87189950c46db48
cb4e21c7e0ac83ad6d45ef159afb7950
1994235e35621a934fc4a440a8e26ad0
3477bf1d92b6b3b34d31d44630e9e2f6
761dce8fef99c9b51689bfdbf64931e9
d109f79a7395282dc8562aba47ab7795
69c47995a66543fff660b132257f9163
ca8ff9dee9806a7e060dc2298171ce13
ea8e784fe221021d708acec2bb7d8651
38faf4aece9f71eb96f7062b5c08a851
b94f108894cdf01f332ba7d0172909cd
d8d44809e2bbb27a137f46a87e7b9349
7fc3ed884839c21435282b8b536d3cc5
95deb1a7ef4282d4c4aa0f77e4016f69
7d386775a839f1d05db000090d1882c4
c1f6f6597277422dad67a05dc1e458e6
fea4e488eee12310a4de7bd57ef83e87
0ea00e88cb966e322ec20842c856ad35
b662ce1fc03f6a358d49128a7719c528
f34f088cb463016b7614e017cae443d6
32cbfd96092bb3315536324d4f4ba62d
6bb8bec70f80538ed0b329c3d992b51e
d9291b3337345c90ceca3e5fc3ed5f09
aebbafff7c61504d453a202b1e78d79e
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
`.rsrc
f;T$.uBf
t'SShl
tFHt:Ht.Ht"Hu`
j%XtL9E
u$SShe
FTCP
SSSSh
tAHt.HHt
SSh@B
FtPW
tl9_ tgSSh
<SShG
s%j.Zf
xSSSh
FTPjKS
FtPj;S
C.PjRV
CNotSupportedException
CCmdTarget
RegDeleteKeyTransactedW
CHttpConnection
CHttpFile
RegDeleteKeyExW
TaskDialogIndirect
CMDITabProxyWnd
CMDIChildWndEx
CMDIFrameWndEx
CMDIClientAreaWnd
CMFCToolBarsKeyboardPropertyPage
cmd.exe
GetProcessWindowStation
portuguese-brazilian
operator
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
taskkill /f /im iexplore.exe
taskkill /f /im chrome.exe
taskkill /F /IM firefox.exe
Keys
RegOpenKeyTransactedW
RegCreateKeyTransactedW
background: url('hXXp://cdn.airdlrstatic.com/themes/images/modal-overlay.png') repeat;
overlay = document.getElementById('modal-overlay');
if (overlay.style.display === 'none' && !display) {
overlay.style.display = display;
if(document.getElementById('page0')){
document.getElementById('page0').style.visibility = 'visible';
document.getElementById('page0').style.display = 'block';
document.getElementById('page' currentPage).style.visibility = 'hidden';
document.getElementById('page' currentPage).style.display = 'none';
document.getElementById('page' currentPage).style.visibility = 'visible';
document.getElementById('page' currentPage).style.display = 'block';
var formsCollection = document.getElementsByTagName("form");
for (var i = 0; i < formsCollection.length; i ) {
var formName = formsCollection[i].name;
//alert('formName: ' formName ' ' document.forms[formName].elements);
if( typeof document.forms[formName].elements !== 'undefined' ){
for (var e = 0; e < document.forms[formName].elements.length; e ) {
if (document.forms[formName].elements[e].type == "button") {
if (document.forms[formName].elements[e].value == "Next" ||
document.forms[formName].elements[e].value == "Done" ||
document.forms[formName].elements[e].name == "Next"
document.forms[formName].elements[e].focus();
for (var e = 0; e < offerForm.elements.length; e ) {
if (offerForm.elements[e].type == "checkbox") {
offerForm.elements[e].disabled = 'disabled';
for (var e = 0; e < offerForm.elements.length; e ) {
if (offerForm.elements[e].type == "checkbox"
&& offerForm.elements[e].name != "main" ) {
offerForm.elements[e].checked = true;
var all = document.getElementsByTagName('*');
for(var i=0; i<all.length; i) { if(all[i].className == 'advanced'){ all[i].style.color = '#AAAAAA'; } }
var hide_options_element = document.getElementById('hidden_options');
hide_options_element.style.visibility = 'hidden';
if (offerForm.elements[e].type == "checkbox" && offerForm.elements[e].name != "main" ) {
offerForm.elements[e].disabled = '';
for(var i=0; i<all.length; i) { if(all[i].className == 'advanced'){ all[i].style.color = '#000000'; } }
var hide_options_element = document.getElementById('hidden_options');
hide_options_element.style.visibility = 'visible';
if (requiredCheckbox.checked == true) {
for (var e = 0; e < requiredCheckbox.form.elements.length; e ) {
if (requiredCheckbox.form.elements[e] != requiredCheckbox
&& requiredCheckbox.form.elements[e].type == "checkbox"
&& requiredCheckbox.form.elements[e].name != "main"
&& ( "required" in requiredCheckbox.form.elements[e] && requiredCheckbox.form.elements[e].required.indexOf("false") > -1)
requiredCheckbox.form.elements[e].checked = true;
requiredCheckbox.form.elements[e].checked = false;
if (nonRequiredCheckbox.checked == true) {
for (var e = 0; e < nonRequiredCheckbox.form.elements.length; e ) {
if (nonRequiredCheckbox.form.elements[e] != nonRequiredCheckbox
&& nonRequiredCheckbox.form.elements[e].type == "checkbox"
&& nonRequiredCheckbox.form.elements[e].name != "main"
&& ( "required" in nonRequiredCheckbox.form.elements[e] && nonRequiredCheckbox.form.elements[e].required.indexOf("true") > -1)
nonRequiredCheckbox.form.elements[e].checked = true;
e = nonRequiredCheckbox.form.elements.length; // done
function clickIE() {if (document.all) {(message);return false;}}
(document.layers||(document.getElementById&&!document.all)) {
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers)
{document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;}
else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;}
document.oncontextmenu=new Function("return false")
document.onselectstart=new Function ("return false")
if (window.sidebar){
document.onmousedown=disableselect
document.onclick=reEnable
span.advanced { color:#AAAAAA; padding:0px; }
inflate 1.1.3 Copyright 1995-1998 Mark Adler
CMDIChildWnd
CMDIFrameWnd
<div id="page%s" class="slide" style="display: none;width:100%%;height:100%%;">
<td align='right' ><img src='hXXp://assets.airinstaller.com/graphics/software/common/pc.png' height='100%%' /></td></tr>
Setup has finished installing %s on your computer.
<form name="form%s" style="display:inline;" action="">
<div id="page%s" class="slide" style=" width: 100%%; height:100%%;">
Please wait while %s is being installed.
Downloading %s. <br><br>
<form name="form%s" style="display:inline;" action="">
style="width:80px; font-size:13; height:25px;" id="DeclineOffer" offer="%s" />
style="width:160px; font-size:13; height:25px;" id="AcceptOffer" offer="%s" />
<div id="page%s" class="slide" style="display: none;width:100%%;height:100%%;" >
<H2>%s</h2>
<img src='%s' style='padding:0px;' height='100%%' >
<H1>%s Setup Wizard</h1>
Welcome to the %s Setup Wizard. This wizard will guide you through the installation of %s. <br><br>
&& requiredCheckbox.form.elements[e].name != "main" ) {
&& requiredCheckbox.form.elements[e].type == "checkbox"
e = requiredCheckbox.form.elements.length; // done
span.advanced { color:#AAAAAA; padding:0px; }
C:\Users\jon\Documents\GitHub\Air-APP\Release\AirInstallerDistributed.pdb
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCObject@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.PAVCUserException@@
.PAVCOleException@@
.PAVCResourceException@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.PAVCArchiveException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCMFCToolBarCmdUI@@
.PAVCOleDispatchException@@
.?AVCMFCCmdUsageCount@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIFrameWndEx@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÁ
.PAVCException@@
.?AVCCmdTarget@@
.PAVCFileException@@
.PAVCInternetException@@
.?AVCWebGrab@@
.?AVCWebGrabSession@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWnd@@
var btnStalled = document.getElementById("NavigateStalled");
btnStalled.click();
GetProcessHeap
GetCPInfo
RegOpenKeyExW
RegCloseKey
RegEnumKeyW
RegDeleteKeyW
RegEnumKeyExW
RegQueryInfoKeyW
RegCreateKeyExW
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportOrgEx
GdiplusShutdown
ShellExecuteExW
ShellExecuteW
UrlUnescapeW
IsValidURL
URLDownloadToFileW
CreateDialogIndirectParamW
SetWindowsHookExW
UnhookWindowsHookEx
GetKeyState
GetKeyNameTextW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardState
MapVirtualKeyExW
GetAsyncKeyState
HttpOpenRequestW
HttpSendRequestW
HttpAddRequestHeadersW
InternetCanonicalizeUrlW
InternetCrackUrlW
HttpQueryInfoW
InternetOpenUrlW
DeleteUrlCacheEntryW
$/$/$/$/
2;%SK
]<%Xg
<3&.#3 $-
##0#3131%&
.QICN,=3?-W7P5351;. ##;-[3-M?-36$#M->-a053 ##-
6:(:.xHR8Y-(8
$$ $ $$844
((,$$$,$$,
.text
`.rdata
@.data
.rsrc
@.reloc
@.relo(
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings" xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</ms_windowsSettings:dpiAware></windowsSettings></application><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
gdiplus.dll
IMM32.dll
MSIMG32.dll
ole32.dll
OLEACC.dll
OLEAUT32.dll
oledlg.dll
SHELL32.dll
SHLWAPI.dll
urlmon.dll
USER32.dll
WININET.dll
WINMM.dll
WINSPOOL.DRV
accKeyboardShortcut
wuser32.dll
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
Dcomctl32.dll
Dcomdlg32.dll
Dshell32.dll
res://%s/%s
res://%s/%d
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
lX-X-x-XX-XXXXXX
hXXp://
=WININET.DLL
EHTTP/1.0
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
kernel32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
Ef:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
mfcm100u.dll
Ef:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
SHELL32.DLL
lXXxXXXXXXXX
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
&%d %s
COMCTL32.DLL
%sPane-%d%x
%sPane-%d
USER32.DLL
%sBasePane-%d%x
%sBasePane-%d
MSG_CHECKEMPTYMINIFRAME
KeyboardManager
ShowCmd
N%c%d%c%s
%sDockingManager-%d
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
IHex={X,X,X}
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
windows
Pf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
I%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
QRICHED20.DLL
RGB(%d, %d, %d)
ENABLE_KEYS
KEYS_MENU
KEYS
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
=%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl
%s (%s:%d)
UxTheme.dll
dwmapi.dll
d%s:%x:%x:%x:%x
Shell32.dll
Download Url:
theme w: %d h: %d window w: %d h: %d
intro_page.html
feed.xml
installer.html
.html
block.html
download_page.html
cancel_page.html
offer_0.html
_USER_PASSWORD_
e Command succeded. Calling conversion URL.
<div ID="OPTIONS_PROGRESS_CONTROL" style="background-color:%s; width:%d%% ; height:%s;"> </div>
<div ID="PROGRESS_CONTROL" style="background-color:%s; width:%d%% ; height:%s;"> </div>
summary_page.html
%Program Files% (x86)
%Program Files%
%.2f %s
hXXp://cdn.airdlrstatic.com/uninstaller/Uninstaller.zip
INPUT_PASSWORD_FIELD
Choose a password
INPUT_PASSWORD_REQUIRED
hXXp://trk.airinstaller.com/get/event/?name=user_input
&data[password]=
$password
password=
<form action='hXXp://
<body onload="document.forms['form'].submit();">
userInputForm.html
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Referer: hXXp://VVV.mypcbackup.com/
Content-Type: application/x-www-form-urlencoded
" onclick="disableOfferOptions(this.form)" > Quick Installation (recomended) </td></tr>
" onclick="enableOfferOptions(this.form)" > Custom Installation (advanced) </td></tr>
, you are hereby agreeing to their <a href='#' url='
<a href='#' url='
[purl]
[turl]
agree to accept the <a href='#' url='
<a href='#' url='
Advapi32.dll
firefox
%Program Files% (x86)\Mozilla Firefox\firefox.exe
%Program Files%\Mozilla Firefox\firefox.exe
D:\Program Files (x86)\Mozilla Firefox\firefox.exe
D:\Program Files\Mozilla Firefox\firefox.exe
" -osint -url
chrome
%Program Files% (x86)\Google\Chrome\Application\chrome.exe
%Program Files%\Google\Chrome\Application\chrome.exe
D:\Program Files (x86)\Google\Chrome\Application\chrome.exe
D:\Program Files\Google\Chrome\Application\chrome.exe
%Program Files% (x86)\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
D:\Program Files (x86)\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
IE.HTTP
http\shell\open\command
Chrome
Firefox
Opera
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
run_cmd
regkey
REG_KEY
extensions.sqlite
Detection Rule Exe:
.com/
Failed to open URL Error:
DownloadFile2() size mismatch url:
DownloadManager.DownloadFile2() url:
Ytheme\config\cancel_dialog.xml
URLDownloadToFile failed:
Ylanguage.map
.lang
AirInstallerDistributed.exe
setup.exe
AIRINSTALLER-238EA140-C13E-31F2-E1C5-106067709672
hXXp://trk.airinstaller.com/get/event/?name=already_running&data[running]=1
hXXp://cdn.airdlrstatic.com
2.0.1.6
hXXp://trk.airinstaller.com/get/event/?name=session_version
\debug.log
WebGrab XML Feed
hXXp://trk.airinstaller.com/get/log
/get/file_size/?key=
&url=
installer run cmd process
WHKEY_CURRENT_CONFIG
HKEY_USERS
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER\
HKEY_LOCAL_MACHINE\
HKEY_USERS\
HKEY_CURRENT_CONFIG\
HKEY_CLASSES_ROOT\
explorer.exe
\config\settings.xml
\html\header.html
\html\footer.html
\html\intropage.html
\html\offerheader.html
\html\offerfooter.html
\html\cancelheader.html
\html\cancelfooter.html
\html\installoptionspage.html
\html\downloadpage.html
\html\summarypage.html
\software\title.png
ThemeManager.LoadTheme() done
\offer.html
%_OFFER_TERMS_URL_%
%_OFFER_PRIVACY_URL_%
' onclick='disableOfferOptions(this.form)' >
' onclick='enableOfferOptions(this.form)' >
installer_temp.html
theme\software\software.html
onblur="if(this.value==''){this.value='Email address';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Email address'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Email address'){this.value='';this.style.color='#333333';}"
onblur="if(this.value==''){this.value='Full name';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Full name'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Full name'){this.value='';this.style.color='#333333';}"
> <div id='INPUT_PASSWORD_REQUIRED' style='display: inline'></div> </span>
onblur="if(this.value==''){this.value='Choose a password';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Choose a password'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Choose a password'){this.value='';this.style.color='#333333';}"
<span id="INPUT_PASSWORD"> <input type='text' id='INPUT_PASSWORD_FIELD' name='INPUT_PASSWORD_FIELD' value='Choose a password' placeholder='Choose a password'
%_INPUT_PASSWORD_%
<iframe src='userInputForm.html' width='1' height='1' frameborder='0' seamless='seamless'></iframe>
DOWNLOAD_URL>
src="theme/images/btn_next.png"
hXXp://trk.airinstaller.com/get/event/?name=started_with_admin&data[click_id]=
hXXp://trk.airinstaller.com/get/event/?name=started_without_admin&data[click_id]=
hXXp://trk.airinstaller.com/get/event/?name=admin_after_prompt&data[click_id]=
hXXp://trk.airinstaller.com/get/event/?name=admin_prompt_decline&data[click_id]=
</Reg_Key>
<Reg_Key>
installed.ini
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
\Uninstaller.exe
%s%s%s
session_key
Install session key:
thankyou_url
Install thank you URL:
cancel_url
download_url
exe_cmd
image_url
impression_url
conversion_url
privacy_url
terms_url
uninstaller_pre_cmd
uninstaller_post_cmd
uninstaller_url
input_post_url
purl
turl
Reg Keys
regkeys
Offer check: passed: does not exist at:
" onclick="disableOfferOptions(this.form)" > Quick (recommended) </td></tr>
" onclick="enableOfferOptions(this.form)" > Advanced </td></tr>
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\setup.exe
hXXp://airinstaller.com
DEFAULTs<FEED_URL> h hXXp://trk.airinstaller.com 051cb34063398c
hXXp://trk.airinstaller.com q<OFFER_ARG> a<PRE_ACCEPTED_OFFERS>
firefox
2.0.4.6
<DOWNLOAD_URL> AJava Runtime <Java-MT
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
%s [Recovered]
AirInstaller.exe
setup.exe_3320_rwx_003D1000_0024F000:
f;T$.uBf
t'SShl
tFHt:Ht.Ht"Hu`
j%XtL9E
u$SShe
FTCP
SSSSh
tAHt.HHt
SSh@B
FtPW
tl9_ tgSSh
<SShG
s%j.Zf
xSSSh
FTPjKS
FtPj;S
C.PjRV
CNotSupportedException
CCmdTarget
RegDeleteKeyTransactedW
CHttpConnection
CHttpFile
RegDeleteKeyExW
TaskDialogIndirect
CMDITabProxyWnd
CMDIChildWndEx
CMDIFrameWndEx
CMDIClientAreaWnd
CMFCToolBarsKeyboardPropertyPage
cmd.exe
GetProcessWindowStation
portuguese-brazilian
operator
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
taskkill /f /im iexplore.exe
taskkill /f /im chrome.exe
taskkill /F /IM firefox.exe
Keys
RegOpenKeyTransactedW
RegCreateKeyTransactedW
background: url('hXXp://cdn.airdlrstatic.com/themes/images/modal-overlay.png') repeat;
overlay = document.getElementById('modal-overlay');
if (overlay.style.display === 'none' && !display) {
overlay.style.display = display;
if(document.getElementById('page0')){
document.getElementById('page0').style.visibility = 'visible';
document.getElementById('page0').style.display = 'block';
document.getElementById('page' currentPage).style.visibility = 'hidden';
document.getElementById('page' currentPage).style.display = 'none';
document.getElementById('page' currentPage).style.visibility = 'visible';
document.getElementById('page' currentPage).style.display = 'block';
var formsCollection = document.getElementsByTagName("form");
for (var i = 0; i < formsCollection.length; i ) {
var formName = formsCollection[i].name;
//alert('formName: ' formName ' ' document.forms[formName].elements);
if( typeof document.forms[formName].elements !== 'undefined' ){
for (var e = 0; e < document.forms[formName].elements.length; e ) {
if (document.forms[formName].elements[e].type == "button") {
if (document.forms[formName].elements[e].value == "Next" ||
document.forms[formName].elements[e].value == "Done" ||
document.forms[formName].elements[e].name == "Next"
document.forms[formName].elements[e].focus();
for (var e = 0; e < offerForm.elements.length; e ) {
if (offerForm.elements[e].type == "checkbox") {
offerForm.elements[e].disabled = 'disabled';
for (var e = 0; e < offerForm.elements.length; e ) {
if (offerForm.elements[e].type == "checkbox"
&& offerForm.elements[e].name != "main" ) {
offerForm.elements[e].checked = true;
var all = document.getElementsByTagName('*');
for(var i=0; i<all.length; i) { if(all[i].className == 'advanced'){ all[i].style.color = '#AAAAAA'; } }
var hide_options_element = document.getElementById('hidden_options');
hide_options_element.style.visibility = 'hidden';
if (offerForm.elements[e].type == "checkbox" && offerForm.elements[e].name != "main" ) {
offerForm.elements[e].disabled = '';
for(var i=0; i<all.length; i) { if(all[i].className == 'advanced'){ all[i].style.color = '#000000'; } }
var hide_options_element = document.getElementById('hidden_options');
hide_options_element.style.visibility = 'visible';
if (requiredCheckbox.checked == true) {
for (var e = 0; e < requiredCheckbox.form.elements.length; e ) {
if (requiredCheckbox.form.elements[e] != requiredCheckbox
&& requiredCheckbox.form.elements[e].type == "checkbox"
&& requiredCheckbox.form.elements[e].name != "main"
&& ( "required" in requiredCheckbox.form.elements[e] && requiredCheckbox.form.elements[e].required.indexOf("false") > -1)
requiredCheckbox.form.elements[e].checked = true;
requiredCheckbox.form.elements[e].checked = false;
if (nonRequiredCheckbox.checked == true) {
for (var e = 0; e < nonRequiredCheckbox.form.elements.length; e ) {
if (nonRequiredCheckbox.form.elements[e] != nonRequiredCheckbox
&& nonRequiredCheckbox.form.elements[e].type == "checkbox"
&& nonRequiredCheckbox.form.elements[e].name != "main"
&& ( "required" in nonRequiredCheckbox.form.elements[e] && nonRequiredCheckbox.form.elements[e].required.indexOf("true") > -1)
nonRequiredCheckbox.form.elements[e].checked = true;
e = nonRequiredCheckbox.form.elements.length; // done
function clickIE() {if (document.all) {(message);return false;}}
(document.layers||(document.getElementById&&!document.all)) {
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers)
{document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;}
else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;}
document.oncontextmenu=new Function("return false")
document.onselectstart=new Function ("return false")
if (window.sidebar){
document.onmousedown=disableselect
document.onclick=reEnable
span.advanced { color:#AAAAAA; padding:0px; }
inflate 1.1.3 Copyright 1995-1998 Mark Adler
CMDIChildWnd
CMDIFrameWnd
<div id="page%s" class="slide" style="display: none;width:100%%;height:100%%;">
<td align='right' ><img src='hXXp://assets.airinstaller.com/graphics/software/common/pc.png' height='100%%' /></td></tr>
Setup has finished installing %s on your computer.
<form name="form%s" style="display:inline;" action="">
<div id="page%s" class="slide" style=" width: 100%%; height:100%%;">
Please wait while %s is being installed.
Downloading %s. <br><br>
<form name="form%s" style="display:inline;" action="">
style="width:80px; font-size:13; height:25px;" id="DeclineOffer" offer="%s" />
style="width:160px; font-size:13; height:25px;" id="AcceptOffer" offer="%s" />
<div id="page%s" class="slide" style="display: none;width:100%%;height:100%%;" >
<H2>%s</h2>
<img src='%s' style='padding:0px;' height='100%%' >
<H1>%s Setup Wizard</h1>
Welcome to the %s Setup Wizard. This wizard will guide you through the installation of %s. <br><br>
&& requiredCheckbox.form.elements[e].name != "main" ) {
&& requiredCheckbox.form.elements[e].type == "checkbox"
e = requiredCheckbox.form.elements.length; // done
span.advanced { color:#AAAAAA; padding:0px; }
C:\Users\jon\Documents\GitHub\Air-APP\Release\AirInstallerDistributed.pdb
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCObject@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.PAVCUserException@@
.PAVCOleException@@
.PAVCResourceException@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.PAVCArchiveException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCMFCToolBarCmdUI@@
.PAVCOleDispatchException@@
.?AVCMFCCmdUsageCount@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIFrameWndEx@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÁ
.PAVCException@@
.?AVCCmdTarget@@
.PAVCFileException@@
.PAVCInternetException@@
.?AVCWebGrab@@
.?AVCWebGrabSession@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWnd@@
var btnStalled = document.getElementById("NavigateStalled");
btnStalled.click();
GetProcessHeap
GetCPInfo
RegOpenKeyExW
RegCloseKey
RegEnumKeyW
RegDeleteKeyW
RegEnumKeyExW
RegQueryInfoKeyW
RegCreateKeyExW
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportOrgEx
GdiplusShutdown
ShellExecuteExW
ShellExecuteW
UrlUnescapeW
IsValidURL
URLDownloadToFileW
CreateDialogIndirectParamW
SetWindowsHookExW
UnhookWindowsHookEx
GetKeyState
GetKeyNameTextW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardState
MapVirtualKeyExW
GetAsyncKeyState
HttpOpenRequestW
HttpSendRequestW
HttpAddRequestHeadersW
InternetCanonicalizeUrlW
InternetCrackUrlW
HttpQueryInfoW
InternetOpenUrlW
DeleteUrlCacheEntryW
$/$/$/$/
2;%SK
]<%Xg
<3&.#3 $-
##0#3131%&
.QICN,=3?-W7P5351;. ##;-[3-M?-36$#M->-a053 ##-
6:(:.xHR8Y-(8
$$ $ $$844
((,$$$,$$,
.text
`.rdata
@.data
.rsrc
@.reloc
@.relo(
accKeyboardShortcut
wuser32.dll
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
Dcomctl32.dll
Dcomdlg32.dll
Dshell32.dll
res://%s/%s
res://%s/%d
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
KERNEL32.DLL
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
lX-X-x-XX-XXXXXX
hXXp://
=WININET.DLL
EHTTP/1.0
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
kernel32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
Ef:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
mfcm100u.dll
Ef:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
SHELL32.DLL
lXXxXXXXXXXX
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
&%d %s
ole32.dll
COMCTL32.DLL
%sPane-%d%x
%sPane-%d
USER32.DLL
%sBasePane-%d%x
%sBasePane-%d
MSG_CHECKEMPTYMINIFRAME
KeyboardManager
ShowCmd
N%c%d%c%s
%sDockingManager-%d
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
IHex={X,X,X}
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
windows
Pf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
I%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
QRICHED20.DLL
RGB(%d, %d, %d)
ENABLE_KEYS
KEYS_MENU
KEYS
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
=%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl
%s (%s:%d)
UxTheme.dll
dwmapi.dll
d%s:%x:%x:%x:%x
Shell32.dll
Download Url:
theme w: %d h: %d window w: %d h: %d
intro_page.html
feed.xml
installer.html
.html
block.html
download_page.html
cancel_page.html
offer_0.html
_USER_PASSWORD_
e Command succeded. Calling conversion URL.
<div ID="OPTIONS_PROGRESS_CONTROL" style="background-color:%s; width:%d%% ; height:%s;"> </div>
<div ID="PROGRESS_CONTROL" style="background-color:%s; width:%d%% ; height:%s;"> </div>
summary_page.html
%Program Files% (x86)
%Program Files%
%.2f %s
hXXp://cdn.airdlrstatic.com/uninstaller/Uninstaller.zip
INPUT_PASSWORD_FIELD
Choose a password
INPUT_PASSWORD_REQUIRED
hXXp://trk.airinstaller.com/get/event/?name=user_input
&data[password]=
$password
password=
<form action='hXXp://
<body onload="document.forms['form'].submit();">
userInputForm.html
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Referer: hXXp://VVV.mypcbackup.com/
Content-Type: application/x-www-form-urlencoded
" onclick="disableOfferOptions(this.form)" > Quick Installation (recomended) </td></tr>
" onclick="enableOfferOptions(this.form)" > Custom Installation (advanced) </td></tr>
, you are hereby agreeing to their <a href='#' url='
<a href='#' url='
[purl]
[turl]
agree to accept the <a href='#' url='
<a href='#' url='
Advapi32.dll
firefox
%Program Files% (x86)\Mozilla Firefox\firefox.exe
%Program Files%\Mozilla Firefox\firefox.exe
D:\Program Files (x86)\Mozilla Firefox\firefox.exe
D:\Program Files\Mozilla Firefox\firefox.exe
" -osint -url
chrome
%Program Files% (x86)\Google\Chrome\Application\chrome.exe
%Program Files%\Google\Chrome\Application\chrome.exe
D:\Program Files (x86)\Google\Chrome\Application\chrome.exe
D:\Program Files\Google\Chrome\Application\chrome.exe
%Program Files% (x86)\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
D:\Program Files (x86)\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
IE.HTTP
http\shell\open\command
Chrome
Firefox
Opera
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
run_cmd
regkey
REG_KEY
extensions.sqlite
Detection Rule Exe:
.com/
Failed to open URL Error:
DownloadFile2() size mismatch url:
DownloadManager.DownloadFile2() url:
Ytheme\config\cancel_dialog.xml
URLDownloadToFile failed:
Ylanguage.map
.lang
AirInstallerDistributed.exe
setup.exe
AIRINSTALLER-238EA140-C13E-31F2-E1C5-106067709672
hXXp://trk.airinstaller.com/get/event/?name=already_running&data[running]=1
hXXp://cdn.airdlrstatic.com
2.0.1.6
hXXp://trk.airinstaller.com/get/event/?name=session_version
\debug.log
WebGrab XML Feed
hXXp://trk.airinstaller.com/get/log
/get/file_size/?key=
&url=
installer run cmd process
WHKEY_CURRENT_CONFIG
HKEY_USERS
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER\
HKEY_LOCAL_MACHINE\
HKEY_USERS\
HKEY_CURRENT_CONFIG\
HKEY_CLASSES_ROOT\
explorer.exe
\config\settings.xml
\html\header.html
\html\footer.html
\html\intropage.html
\html\offerheader.html
\html\offerfooter.html
\html\cancelheader.html
\html\cancelfooter.html
\html\installoptionspage.html
\html\downloadpage.html
\html\summarypage.html
\software\title.png
ThemeManager.LoadTheme() done
\offer.html
%_OFFER_TERMS_URL_%
%_OFFER_PRIVACY_URL_%
' onclick='disableOfferOptions(this.form)' >
' onclick='enableOfferOptions(this.form)' >
installer_temp.html
theme\software\software.html
onblur="if(this.value==''){this.value='Email address';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Email address'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Email address'){this.value='';this.style.color='#333333';}"
onblur="if(this.value==''){this.value='Full name';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Full name'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Full name'){this.value='';this.style.color='#333333';}"
> <div id='INPUT_PASSWORD_REQUIRED' style='display: inline'></div> </span>
onblur="if(this.value==''){this.value='Choose a password';this.style.color='#AAAAAA';}"
onfocus="if(this.value=='Choose a password'){this.value='';this.style.color='#333333';}"
onclick="if(this.value=='Choose a password'){this.value='';this.style.color='#333333';}"
<span id="INPUT_PASSWORD"> <input type='text' id='INPUT_PASSWORD_FIELD' name='INPUT_PASSWORD_FIELD' value='Choose a password' placeholder='Choose a password'
%_INPUT_PASSWORD_%
<iframe src='userInputForm.html' width='1' height='1' frameborder='0' seamless='seamless'></iframe>
DOWNLOAD_URL>
src="theme/images/btn_next.png"
hXXp://trk.airinstaller.com/get/event/?name=started_with_admin&data[click_id]=
hXXp://trk.airinstaller.com/get/event/?name=started_without_admin&data[click_id]=
hXXp://trk.airinstaller.com/get/event/?name=admin_after_prompt&data[click_id]=
hXXp://trk.airinstaller.com/get/event/?name=admin_prompt_decline&data[click_id]=
</Reg_Key>
<Reg_Key>
installed.ini
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
\Uninstaller.exe
%s%s%s
session_key
Install session key:
thankyou_url
Install thank you URL:
cancel_url
download_url
exe_cmd
image_url
impression_url
conversion_url
privacy_url
terms_url
uninstaller_pre_cmd
uninstaller_post_cmd
uninstaller_url
input_post_url
purl
turl
Reg Keys
regkeys
Offer check: passed: does not exist at:
" onclick="disableOfferOptions(this.form)" > Quick (recommended) </td></tr>
" onclick="enableOfferOptions(this.form)" > Advanced </td></tr>
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\setup.exe
hXXp://airinstaller.com
DEFAULTs<FEED_URL> h hXXp://trk.airinstaller.com 051cb34063398c
hXXp://trk.airinstaller.com q<OFFER_ARG> a<PRE_ACCEPTED_OFFERS>
firefox
2.0.4.6
<DOWNLOAD_URL> AJava Runtime <Java-MT
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
%s [Recovered]
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:4000
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\104[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HtOauIPPZi\intro_page.html (1376 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018040920180410\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\setup.exe (7596 bytes) - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.