home

wzmpis_9.exe

WinZip Computing

The application wzmpis_9.exe by WinZip Computing has been detected as a potentially unwanted program by 10 anti-malware scanners. The program is a setup application that uses the Inno Setup installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from download.winzipsystemtools.com. While running, it connects to the Internet address inst.avg.com on port 80 using the HTTP protocol.
Publisher:
WinZip Computing  (signed and verified)

MD5:
f369970626a10f15d84d592d4563cf39

SHA-1:
8d14b1d995ab399516d1a72503f429e49819ba47

SHA-256:
66e40225674de264457c9343795504114aaf7cbeff1d8c063e9062b2e1b39428

Scanner detections:
10 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
4/24/2024 3:15:21 PM UTC  (today)

Scan engine
Detection
Engine version

Bitdefender
Gen:Trojan.Heur2.GZ.OGZ@bKB!kwli
1.0.20.645

Emsisoft Anti-Malware
Gen:Trojan.Heur2.GZ.OGZ@bKB!kwli
8.14.05.09.12

ESET NOD32
Win32/InstallCore.BY
8.9743

Fortinet FortiGate
Riskware/InstallCore
5/9/2014

F-Secure
Gen:Trojan.Heur2.GZ.OGZ@bKB!kwli
11.2014-09-05_6

G Data
Gen:Trojan.Heur2.GZ.OGZ@bKB!kwli
14.5.24

Malwarebytes
PUP.Optional.Pricemeter
v2014.05.09.12

McAfee
Artemis!F369970626A1
5600.7135

MicroWorld eScan
Gen:Trojan.Heur2.GZ.OGZ@bKB!kwli
15.0.0.387

Vba32 AntiVirus
Downware.InstallCore
3.12.26.0

File size:
651.6 KB (667,216 bytes)

File type:
Executable application (Win32 EXE)

Installer:
Inno Setup

Common path:
C:\users\{user}\downloads\wzmpis_9.exe

Digital Signature
Signed by:
WinZip Computing

Authority:
VeriSign, Inc.

Valid from:
2/15/2014 1:00:00 AM

Valid to:
5/17/2016 1:59:59 AM

Subject:
CN=WinZip Computing, OU=IT, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=WinZip Computing, L=Mansfield, S=Connecticut, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
4A0099B9A58D592947DF50CC37517426

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:envp8F+cWXc2shm11TZil1hD/WNl/TmGVESDvI+lztwLZGuOuHz2o7bt:envqodXc2sVDgl/TmOvXtMZGTGV

Entry address:
0x9C40

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, 53, C9, FF, FF, E8, 9A, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The file wzmpis_9.exe has been seen being distributed by the following URL.

http://download.winzipsystemtools.com/.../wzmpis_9.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to st.openinstall.com  (184.168.221.46:80)

TCP (HTTP):
Connects to oi.cloud.avg.com  (204.193.144.33:80)

TCP (HTTP):
Connects to inst.avg.com  (204.193.144.89:80)

Remove wzmpis_9.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.