home

winzip19-ootf.exe

WinZip Computing LLC

The application winzip19-ootf.exe by WinZip Computing has been detected as a potentially unwanted program by 7 anti-malware scanners. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from cdn.winzipdelivery.com.
Publisher:
WinZip  (signed by WinZip Computing LLC)

Product:
WinZip

Version:
1.0.5.a0.1_37199

MD5:
ee2be89454cc38f6df7d423ab1323a13

SHA-1:
7dd6b86bdfb4dbe6eddf6d76efe26fd68ec8042b

SHA-256:
109992593aac7eeef16da171528ec00b00a06d4cc882a68724558708f189b09f

Scanner detections:
7 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/26/2024 7:35:09 AM UTC  (today)

Scan engine
Detection
Engine version

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Trojan.InstallCore.402
9.0.1.0152

ESET NOD32
Win32/InstallCore.YR potentially unwanted (variant)
9.11541

Fortinet FortiGate
Riskware/InstallCore
6/1/2015

NANO AntiVirus
Riskware.Win32.InstallCore.dqvwsp
0.30.20.1219

Reason Heuristics
PUP.Bundler.InstallCore
15.6.1.19

Trend Micro House Call
Suspicious_GEN.F47V0402
7.2.152

File size:
1 MB (1,080,488 bytes)

Product version:
1.0.5.a0.1_37199

Copyright:
WinZip

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Common path:
C:\users\{user}\downloads\winzip19-ootf.exe

Digital Signature
Signed by:
WinZip Computing LLC

Authority:
GlobalSign nv-sa

Valid from:
2/10/2015 12:50:10 PM

Valid to:
2/11/2016 12:50:10 PM

Subject:
CN=WinZip Computing LLC, O=WinZip Computing LLC, S=Connecticut, C=US

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
11213AC849B929DBABC960315B5B9070927F

File PE Metadata
Compilation timestamp:
6/19/1992 11:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:CmJa7dm5K5c/WVHvy3NGwbIqWlWOJKyUpNUYPpLShl7uK:CMGA2PEN+txBYPshf

Entry address:
0xA5F8

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55...
 
[+]

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
39.5 KB (40,448 bytes)

The file winzip19-ootf.exe has been seen being distributed by the following URL.

http://cdn.winzipdelivery.com/c?fallback_url= &x=6wts40LEZlhX46MjRJHD64c6Ex3yW zOwpogi2eaDxY=&downloadAs=winzip19-ootf.exe&c=7UeovSsw9VqehzIet0Vs1txKQfWrKD9Ihfz1HG57At36wgNHXa4 CV438GeBZXHwDX3pOux6i2v7p40nLnhYZw==

Remove winzip19-ootf.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.