» winzipbar.exe
Overview
Analysis
File Details
Network (2)

winzipbar.exe

WinZip Computing

This is part of the Conduit platform, a browser extension desigend to manage and control the web browser's search provider functionality. The application winzipbar.exe by WinZip Computing has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Wise Installer installer. It is also typically executed from the user's temporary directory.

File name:

winzipbar.exe

Publisher:

Conduit (signed by WinZip Computing)

Version:

1.2.0.0

MD5:

0d0182815527ac5b55b531757a4d3419

SHA-1:

645abba10407ef33e9ce23f6c8853eccc7b567ba

SHA-256:

1a7aeae7cb829a2310c6c11639be763fc009cc28ea97e83624cfec94f3d57797

Scanner detections:

1 / 68

Status:

Potentially unwanted

Note:

Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:

4/26/2024 5:37:56 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

Win32.Generic

16.1.24.5

File size:

275.1 KB (281,696 bytes)

Conduit Ltd.

File type:

Executable application (Win32 EXE)

Installer:

Wise Installer

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\winzipbar.exe

Digital Signature

Signed by:

WinZip Computing

Authority:

VeriSign, Inc.

Valid from:

4/13/2009 7:00:00 PM

Valid to:

4/13/2012 6:59:59 PM

Subject:

CN=WinZip Computing, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=WinZip Computing, L=Mansfield, S=Connecticut, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

2091EC663B9B070DEF16CA9A237B705B

File PE Metadata

Compilation timestamp:

10/25/2001 2:47:11 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

6144:XXUlmIMLPkuWCgXmyaun3sBPV8aspReyM8oyasBPV8aspReyM8oyt:0lmhLR63sBPOLfef8onsBPOLfef8oc

Entry address:

0x21AF

Entry point:

55, 8B, EC, 81, EC, 2C, 05, 00, 00, 53, 56, 57, 6A, 01, 5E, 6A, 04, 89, 75, E8, FF, 15, 54, 40, 40, 00, FF, 15, 50, 40, 40, 00, 8B, F8, 89, 7D, F4, 8A, 07, 3C, 22, 0F, 85, CC, 00, 00, 00, 8A, 47, 01, 47, 89, 7D, F4, 33, DB, 3A, C3, 74, 0D, 3C, 22, 74, 09, 8A, 47, 01, 47, 89, 7D, F4, EB, EF, 80, 3F, 22, 75, 04, 47, 89, 7D, F4, 80, 3F, 20, 75, 09, 47, 80, 3F, 20, 74, FA, 89, 7D, F4, 53, FF, 15, 6C, 40, 40, 00, 80, 3F, 2F, 89, 45, F8, 75, 64, 8A, 47, 01, 3C, 53, 74, 04, 3C, 73, 75, 06, 89, 35, 58, 53, 40, 00... 
[+]

Entropy:

7.9694

Packer / compiler:

Wise Installer Stub

Code size:

8.5 KB (8,704 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to a184-24-90-108.deploy.static.akamaitechnologies.com (184.24.90.108:80)

TCP (HTTP):

Connects to a23-202-99-152.deploy.static.akamaitechnologies.com (23.202.99.152:80)

Remove winzipbar.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.