oiassistwtd.exe

WinZip 18

WinZip Computing

The application oiassistwtd.exe by WinZip Computing has been detected as a potentially unwanted program by 10 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address inst.avg.com on port 80 using the HTTP protocol.
Publisher:
WinZip Computing  (signed and verified)

Product:
WinZip 18

Description:
WinZip 18 Setup

Version:
1,19,0,3503

MD5:
10a28c8679ee131c72f0a07475295e65

SHA-1:
9e094462445ab14d09a47c48904caf0fd302e201

SHA-256:
945b88ab1440b1f1a11393a28b53be8d81c77797573246b960223c833335095e

Scanner detections:
10 / 68

Status:
Potentially unwanted

Explanation:
Includes Open Install, an installer which bundles legitimate programs with offers for additional 3rd-party applications that may be unwanted by the user.

Analysis date:
11/24/2024 11:28:51 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.OpenInstall
7.1.1

Dr.Web
Adware.Downware.1923
9.0.1.0139

Emsisoft Anti-Malware
Trojan.Generic.10143455
8.14.05.19.12

ESET NOD32
Win32/OpenInstall potentially unwanted application
7.0.302.0

Fortinet FortiGate
Riskware/OpenInstall
5/19/2014

K7 AntiVirus
Unwanted-Program
13.176.11496

McAfee
Artemis!0AB167625A7A
5600.7125

Reason Heuristics
PUP.OpenInstall.Installer.L
14.5.19.12

Sophos
4.97

Trend Micro House Call
TROJ_GEN.F47V0204
7.2.139

File size:
410.9 KB (420,808 bytes)

Product version:
1,19,0,3503

Copyright:
Copyright © 2013

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\oiassistwtd.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
3/16/2012 1:00:00 AM

Valid to:
4/14/2014 1:59:59 AM

Subject:
CN=WinZip Computing, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=WinZip Computing, L=Mansfield, S=Connecticut, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
5E4842AC9691630B45F8266C0ADB1206

File PE Metadata
Compilation timestamp:
9/11/2013 3:01:43 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
7.10

CTPH (ssdeep):
6144:7PEVT/DlxGmVQhlzYBH1PBrj+qCkeHX0h1Db5lugnuz3aJkx5D+:7+DfPVQhlzi5leMD7ul3CkxR+

Entry address:
0x1000

Entry point:
55, 8B, EC, 81, EC, 1C, 04, 00, 00, 53, 56, 57, BE, CC, 30, 40, 00, 8D, BD, E4, FB, FF, FF, A5, A5, A5, 6A, 7E, 66, A5, 59, 33, C0, 8D, BD, F2, FB, FF, FF, F3, AB, 66, AB, BB, 04, 01, 00, 00, 53, 8D, 85, E4, FB, FF, FF, 50, FF, 15, 5C, 30, 40, 00, 66, 83, A5, EC, FD, FF, FF, 00, 33, C0, B9, 81, 00, 00, 00, 8D, BD, EE, FD, FF, FF, F3, AB, 66, AB, 8D, 45, FE, 50, 8D, 85, EC, FD, FF, FF, 50, 8D, 85, E4, FB, FF, FF, 50, C7, 45, F8, FD, FF, FF, FF, C6, 45, FE, 00, E8, 45, 01, 00, 00, 83, C4, 0C, 84, C0, 74, 15...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to oi.cloud.avg.com  (204.193.144.33:80)

TCP (HTTP):
Connects to inst.avg.com  (204.193.144.89:80)

Remove oiassistwtd.exe - Powered by Reason Core Security