oiassistwtd.exe

WinZip 18

WinZip Computing

The application oiassistwtd.exe by WinZip Computing has been detected as a potentially unwanted program by 6 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.capitalvaultsbits.com and multiple other hosts. While running, it connects to the Internet address inst.avg.com on port 80 using the HTTP protocol.
Publisher:
WinZip Computing  (signed and verified)

Product:
WinZip 18

Description:
WinZip 18 Setup

Version:
1,19,0,3503

MD5:
21efc3bdcf61f59f1b629535b1dbb709

SHA-1:
09cd3a7c41ba55f5000906089e11dbd306034e88

SHA-256:
dacab4b184246a430bf522f538d2f30fa3f567c326ecd9560495ea13e9d66462

Scanner detections:
6 / 68

Status:
Potentially unwanted

Explanation:
Includes Open Install, an installer which bundles legitimate programs with offers for additional 3rd-party applications that may be unwanted by the user.

Analysis date:
11/27/2024 1:13:26 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.OpenInstall
7.1.1

Dr.Web
Adware.Downware.1923
9.0.1.025

Emsisoft Anti-Malware
Trojan.Generic.10143455
8.14.01.25.11

ESET NOD32
Win32/OpenInstall (variant)
8.9307

Rising Antivirus
PE:Malware.XPACK/RDM!5.1
23.00.65.14123

Sophos
4.96

File size:
410.9 KB (420,776 bytes)

Product version:
1,19,0,3503

Copyright:
Copyright © 2013

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\oiassistwtd.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
3/16/2012 1:00:00 AM

Valid to:
4/14/2014 1:59:59 AM

Subject:
CN=WinZip Computing, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=WinZip Computing, L=Mansfield, S=Connecticut, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
5E4842AC9691630B45F8266C0ADB1206

File PE Metadata
Compilation timestamp:
9/11/2013 3:01:43 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
7.10

CTPH (ssdeep):
6144:bPEVT/DlxGmVQhlzYBH1PBrj+qCkeHX0h1Db5lugnuz3aJkx5De:b+DfPVQhlzi5leMD7ul3CkxRe

Entry address:
0x1000

Entry point:
55, 8B, EC, 81, EC, 1C, 04, 00, 00, 53, 56, 57, BE, CC, 30, 40, 00, 8D, BD, E4, FB, FF, FF, A5, A5, A5, 6A, 7E, 66, A5, 59, 33, C0, 8D, BD, F2, FB, FF, FF, F3, AB, 66, AB, BB, 04, 01, 00, 00, 53, 8D, 85, E4, FB, FF, FF, 50, FF, 15, 5C, 30, 40, 00, 66, 83, A5, EC, FD, FF, FF, 00, 33, C0, B9, 81, 00, 00, 00, 8D, BD, EE, FD, FF, FF, F3, AB, 66, AB, 8D, 45, FE, 50, 8D, 85, EC, FD, FF, FF, 50, 8D, 85, E4, FB, FF, FF, 50, C7, 45, F8, FD, FF, FF, FF, C6, 45, FE, 00, E8, 45, 01, 00, 00, 83, C4, 0C, 84, C0, 74, 15...
 
[+]

Entropy:
7.7054

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file oiassistwtd.exe has been seen being distributed by the following 44 URLs.

http://www.capitalvaultsbits.com/7L9zb10TdEo8uZcwXR4TFlYfPUGnG1YKlJXHrzzR5coWcZ8X_sif7YbjKQi_G29V04QOYQIadbG1Sp1FWRNz5BQSI2a9G6oqqR6HyI1jmk84XXazsftGqaNfyaf8lqCFeGFPEOu_x2FBCVaEmVyard3UO2doFb0F1Mk7PbHtxkg1CdpLF0WBaBsBckGmymeSEAbw0AIyZ1MymT5aczka3_M3mkgPKw==-Ow==

http://www.capitalvaultsbits.com/WVl6OTRQVXBEZFZkSlFqRXdhVEY1ZGtkUlMwVjVWR1ZyUm5STVRGY3pRazFCVldOTWRUUmpURXN6U2xKcGJqZ2xNMFFtWXoxQlpHZFpWWFYzYXpreVJtWnRWM0EwYkRSbmFFWldORmxMWW5SS1FuaFpiWFZIYVhoM2RIWkxZbkpMTTNCWVNHRm9kbk55ZW1oVmJrRm9hVzF5WkdsVlFuUnhRbWhyWTJreE1qUlhSa04zVEhVeVpXOWpZbEJ1TkhGMWVsTkRjRzVpVGxSaFMwZG5SV0kwY1haRmJrWllVSFJhU3pWVk0za3dRMDVtV1RsS2VTWmtiM2R1Ykc5aFpFRnpQVmRwYmxwcGNDdFRaWFIxY0M1bGVHVW1abUZzYkdKaFkydGZkWEpzUFdoMGRIQWxNMEVsTWtZbE1rWjNkM2N1Wkc5M2JteHZZV1JtY21WbE15NWpiMjBsTWtac1lXNWtaWEp6SlRKR2QybHVlbWx3SlRKR1pHOTNibXh2WVdRdWNHaHc=

http://www.capitalvaultsbits.com/GPPAQCrQDWGRH5CC75hqBd3EkZwXI2P 8ooNz_VkIrebkWbE9xAwwey1o1RljrmcDQbdTa1cCxQEaxV5hUfY6jOvAZouzVEihIwh3sMNqmGyYm7X1DoQ2xgK l9G1RbRho5GxDuu6jUTXkMXo gQcZI6DzfYkVL1VcwQwztlw13HE932PXHGq8snrYj44NEfRQAvv2tLKNDnQvrnXafeCUsaujUqqw==-Ow==

http://www.capitalvaultsbits.com/jjfLRxsV2QXeAO55jdlcYdayJrhg4 tbg9Abp09RVEapi_fi6K8OMCv4MgZpLmoadU7lEnZkayPT4FYD6PUVGImBnQkiEPEa OC7DN SFTUDPQg93aK fuKEK3TJkY0Y3J_VkUYaV vSgyCrkjl_K3 lr5TEWpbwNXHDEDF_1fcTkcfEbVDA_f2cYVd_pGHL0SGeu_BjFbNkIMyovDpjbz8B9mAw8w==-Ow==

http://www.flashlaboratoryapp.com/WVl6OTRQV1ExY3pBemQzVllaa3h3YlVOUFNXTlZUa0lsTWtaWGMxTkRSV3RWYjBsb1IyVjFUek5aVUROME1USm5TU1V6UkNaalBVTjRRVUZNYUZWSmQwOUdiRVpxZFZKMGRuTlBKVEpDYWpCT1EweHhOVlpYUjJGVFozZHFNSEJXWmxGWE5tODRRVFE0UVV4UlMxcHdTRVZzZGxrbE1rWjBXVmcySlRKR1Z6UTFPWG8xV0RaNFNtcEtkVkpIWVdReEpUSkdKVEpHYzBSb2NVTkpla3RLYUc1NmJqVlRkM1YwSlRKR09ITnBkemxWV0VKdlZtdzBTR2RSVWtGemVtaDZXRm80Sm1SdmQyNXNiMkZrUVhNOVYybHVXbWx3TG1WNFpRPT0=

http://www.flashlaboratoryapp.com/c?x=05NVDSVU3LvFJd78JfYqhnZeFL3h9niNSE6Fstlew/.../7eNsvGrnrcCXM WvALNlg=&e=0&downloadAs=WinZip Setup.exe

http://www.capitalvaultsbits.com/QoX5FGF9wp6Gz78YirIpQccegdi67y UtPyrNE6OwyeFHjmO2osizgKNu OnntOkw5QKIz0fr7HdFitzWK0gp Al4hq45PifBzeGMWI3QJaxIcSRzO_1EOcAmvmiYSgNWxapjt FVvi3_uAErAWlzAJ5OljQi08CWTLzOwrLR8AlASzV35KGQIYFXHtGLgbdwfI6CxXg6BrYARs011v10XHaoL1odA==-GyoAAEQnh_ZDiJcudWsLJnLA3lYCB_Q3xnkgb4z8YKegpcXzvJPj0gE=

http://www.capitalvaultsbits.com/WVl6OTRQV3BHWVVwNVJFOXJVRUUzVUd4SFYwdzRlSEZ4WkNVeVJrODJWWFpsZVhsdk4yMUxUM05oYWpocmR6a3dOQ1V6UkNaalBXdG9PSFpYVHpKQ1MzQjFZbnBxTlU5SldXeFdVamhyYUhCU1oyRlJZVUoxUTNBeFRtTktZMGwyVjFWc1FuRkpWRWxJUlhwSmJrWTFTMDFqUlVOWkpUSkNjWG9sTWtKRk5qbHpTWFJ6SlRKR1psWkZRMnB2U0hWbFZ6WlBVeVV5UWtFNFdVdDFTbUpQUm1Vd1YzcHdVVFVsTWtaT1JVZFhhblJDSlRKQ2NWRnlSemhoZGpCRE9Ga3pWR2RxSm1SdmQyNXNiMkZrUVhNOVYybHVXbWx3TG1WNFpRPT0=

http://www.capitalvaultsbits.com/c?x=aw/5M2O4SXhKLzm7C2H4O/JgHxSwPREgxd9W/DismEo=&c=0tt8G/EHHR8632Twr 6j2Xh5rLxWJavopyVBOzEN5FMwuDLAWQd6f6ODzKJ3IkpD9XPdZsRqRMdGcNPQyQCxB5F0YVedulmgt8ebypWkIRC07/YOOD9DIIVnWN33LXjQh0yB2zmlUzUHp307bt4rJTlZslqV6sfre Yn0d7EJFI=&e=0&downloadAs=WinZip Setup.exe&fallback_url=http://www.downloadfree4.com/landers/.../download.php

http://www.capitalvaultsbits.com/Oq7jLJ 8wTWqQ2rZ_NzPCHibRNUwLmZAq5PCsY7UuPWTCcNpwCQWC33u0iXvUpFHxdX18g04ciaKVrVzOtbb97Bdo68nMhyR8wz1oPW0uDXXUNf37vJAZP0tX_CKhtP3GM7yRh4agpNtrtPTWGWyWRH1Nd39dGTigHB3Jo2tW03pc5suJ 8L1ScDq5baNEtVd3cawGpOEjk9KDBx2l rLQULZB_p4Q==-GyoAAEQnh_ZDiJcudWsLJnLA3lYCB_Q3xnkgb4z8YKegpcXzvJPj0gE=

http://www.capitalvaultsbits.com/v_2efCcPHdZmrrRvkhkTKMbS rHJ76qW QSX9VXyw5erPoAc6lVt3mmjpclTWdorCQ_kUOcHfJ1DZrLFTUIxamg4EphHIiHe_RvIFpvsN2vK39vCGvm0GcRyv8SoOW5Pp E2Ps4CMnBaGv9Be3Si2mHQ9RqgtfwnlOpPevF8MLtjZjbo87ANgvZIggGUgjsY rR_UhoHLkP_bnRVzOT5X6L VHtSXA==-GzcAAMRtbD49zRvkCakRBA45YP_2JLHAINgYO08EG_nGjB8ZVCMK5ctZnvplQoPL

http://www.capitalvaultsbits.com/WVl6OTRQVGhzVVU1dE0yaDNlRXhuTkRoUVUydGthMVl3VjAxT1YzUlVNQ1V5UW5jbE1rSmtXVXhzYkhrNWNteHFaVGcwSlRORUptTTlVMVZ3V1VkNlFVNVpabFJKWjJGclpYcHhiWFYyUm1wR1pYSnZPV3hyUWpSVkpUSkNOM1IxZVdZeE1YTkZjR3BQWldNMVIyUldXR1p3UkU5TmVqazFVbTlpZERaMWNFSXdWMHh3V1dwWFVVcGhSRm9sTWtaclZqaFhha2hrWm0xclNqUlJSR1p4V0hsYWQxQlFiRE5IUWtkRlVIQnliMGxCWjJKc04xaDFiVlJIYTNreUptUnZkMjVzYjJGa1FYTTlWMmx1V21sd0xtVjRaUT09

http://www.capitalvaultsbits.com/ ihJZggHoK3YIi PZWcR_JjL3xvKk6U1R pimMchjmtTntMMifZDxbgguC3XFMP4lvvo3 pzJIMLqOb17w DCshJsqL7zkEBUvd U5vld1CCQtRUGxz4x bMNxWrsHk59MXxHdJU0EaLqARE_aeoW dSM nz oB3yLaTtyYGCqzdXPi CTllVcx85Lh33AbxGaupfU4yZgoSKyN JaRse_lufnHYw==-Ow==

http://www.capitalvaultsbits.com/74bvutr6iwQYYXviwo7_xe73oZPJIyGMbQAGHm9KEpjblwi4PY0HTnFfquAh0vEdvaDqEeIGHVexQi6XRLrh_QAZtvfF0ot2rZD9E4oUF0EJt3JzVRf9C8MDuEJl7 A7qIcePJelkL5EnSOrVL6fzBaLEgsUQ5ruKXtTwltTve14LuZ49XE3t4UChegBDbWnyCTxlt7fVG9hVRek70fipUhRbNFQ2w==-GzcAAMRtbD49zRvkCakRBA45YP_2JLHAINgYO08EG_nGjB8ZVCMK5ctZnvplQoPL

Latest 30 of 44 download URLs

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to st.openinstall.com  (184.168.221.46:80)

TCP (HTTP):
Connects to oi.cloud.avg.com  (204.193.144.33:80)

TCP (HTTP):
Connects to inst.avg.com  (204.193.144.89:80)

Remove oiassistwtd.exe - Powered by Reason Core Security