» winzip_setup.exe
Overview
Analysis
File Details
Downloads (1)
Network (2)

winzip_setup.exe

WinZip Computing

The application winzip_setup.exe by WinZip Computing has been detected as a potentially unwanted program by 6 anti-malware scanners. The program is a setup application that uses the Inno Setup installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from redirect.ddni.net. While running, it connects to the Internet address inst.avg.com on port 80 using the HTTP protocol.

File name:

winzip_setup.exe

Publisher:

WinZip Computing (signed and verified)

MD5:

9a3ad7ea39b89b106213efaa0033d1d6

SHA-1:

083478f2df22737e8dd68e764590dfd024170dbb

SHA-256:

156e079848d469ede5334f89f7383a4e4d0a5048de032f7f2972b4dc65602a93

Scanner detections:

6 / 68

Status:

Potentially unwanted

Explanation:

Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:

11/30/2024 10:43:31 AM UTC (today)

Scan engine

Detection

Engine version

Dr.Web

Trojan.Packed.28622

9.0.1.05190

ESET NOD32

Win32/InstallCore.BY potentially unwanted application

7.0.302.0

F-Prot

W32/InstallCore.R.gen

4.6.5.141

Rising Antivirus

PE:Malware.XPACK-LNR/Heur!1.5594

23.00.65.14914

SUPERAntiSpyware

PUP.InstallCore/Variant

10355

Vba32 AntiVirus

Downware.InstallCore

3.12.26.3

File size:

703.9 KB (720,744 bytes)

File type:

Executable application (Win32 EXE)

Installer:

Inno Setup

Common path:

C:\users\{user}\downloads\winzip_setup.exe

Digital Signature

Signed by:

WinZip Computing

Authority:

VeriSign, Inc.

Valid from:

3/15/2012 8:00:00 PM

Valid to:

4/13/2014 7:59:59 PM

Subject:

CN=WinZip Computing, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=WinZip Computing, L=Mansfield, S=Connecticut, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

5E4842AC9691630B45F8266C0ADB1206

File PE Metadata

Compilation timestamp:

6/19/1992 6:22:17 PM

OS version:

1.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

12288:uyMJfsGRLLYYmIDVh255edWJtvpz7lL3KxKYfl0b8QvHUviNYgXVeehrs5/26PXk:uyMJfsmIISfeIJpp/lm8zlUEeeW5jkNV

Entry address:

0x98CC

Entry point:

55, 8B, EC, 83, C4, CC, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, FA, 97, FF, FF, E8, 01, AA, FF, FF, E8, 2C, CC, FF, FF, E8, 73, CC, FF, FF, E8, 0A, F3, FF, FF, E8, 71, F4, FF, FF, 33, C0, 55, 68, 76, 9F, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 2C, 9F, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, B0, 40, 00, E8, 9B, FE, FF, FF, E8, 26, FA, FF, FF, 8D, 55, F0, 33, C0, E8, E0, D0, FF, FF, 8B, 55, F0, B8, D8, BD, 40, 00, E8, AB, 98, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, D8, BD, 40, 00, B2, 01, B8... 
[+]

Entropy:

7.8230

Packer / compiler:

Inno Setup v5.x - Installer Maker

Code size:

36 KB (36,864 bytes)

The file winzip_setup.exe has been seen being distributed by the following URL.

http://redirect.ddni.net/.../redirect?sku=7604&pid=224761

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to oi.cloud.avg.com (204.193.144.33:80)

TCP (HTTP):

Connects to inst.avg.com (204.193.144.89:80)

Remove winzip_setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.