Analysis
-
max time kernel
225s -
max time network
241s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 23:20
Behavioral task
behavioral1
Sample
Adware/Reimage Repair/ReimageRepair.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Adware/Reimage Repair/ReimageRepair.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Adware/WinZip Driver Updater/WinZip Driver Updater.exe
Resource
win7-20240221-en
General
-
Target
Adware/WinZip Driver Updater/WinZip Driver Updater.exe
-
Size
3.3MB
-
MD5
7f2c30853e543c73398abbe67e36b39c
-
SHA1
4a1a113b26080550ecbc5b1fdf9b83e2ebb61ae1
-
SHA256
337d67549662e6ce2df81d926c86504d26dc68f7ea1d7a9a25ae709d414f6609
-
SHA512
c23126b3ac0b89b7e69a055ea3839ddb24123fe5c731041de87ba8e8bcb1a294eacadd8e7987e1d3864091edc16885eee61f4dbca1e8cbef014f4271ad6cc5a5
-
SSDEEP
49152:NuugZ81Zj5RX0j3IIwcBsCB32S5havOJjgmssQVHPrR8OnbXTQtmx1QWoG4:VicErw8sO2ysvOJjhssaPjEt3
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 3528 netsh.exe 3924 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation WinZip Driver Updater.tmp -
Executes dropped EXE 2 IoCs
pid Process 1048 WinZip Driver Updater.tmp 768 winzipdu.exe -
Loads dropped DLL 3 IoCs
pid Process 768 winzipdu.exe 768 winzipdu.exe 768 winzipdu.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 42 IoCs
description ioc Process File created C:\Program Files (x86)\WinZip Driver Updater\is-R3L3C.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-CDCFQ.tmp WinZip Driver Updater.tmp File opened for modification C:\Program Files (x86)\WinZip Driver Updater\updater\extract\7z.dll WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-G5KU3.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\is-O13PR.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-9H3CG.tmp WinZip Driver Updater.tmp File opened for modification C:\Program Files (x86)\WinZip Driver Updater\updater\extract\7z.exe WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\unins000.dat WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-FGF1A.tmp WinZip Driver Updater.tmp File opened for modification C:\Program Files (x86)\WinZip Driver Updater\unins000.dat WinZip Driver Updater.tmp File opened for modification C:\Program Files (x86)\WinZip Driver Updater\unrar.dll WinZip Driver Updater.tmp File opened for modification C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\difxapi.dll WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-U27DJ.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-SEQVM.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-QU2I3.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-MQM8V.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-3PITI.tmp WinZip Driver Updater.tmp File opened for modification C:\Program Files (x86)\WinZip Driver Updater\difxapi.dll WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-G82HF.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-J6UML.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-N41KI.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-T5JF6.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-J6MPU.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-IQ8QP.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-4H2LJ.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\unins000.msg WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-HESCH.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\is-IPD13.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-ABGLB.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-82837.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\is-I88H1.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-NTCF9.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-0M1AK.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-T44TJ.tmp WinZip Driver Updater.tmp File opened for modification C:\Program Files (x86)\WinZip Driver Updater\isxdl.dll WinZip Driver Updater.tmp File opened for modification C:\Program Files (x86)\WinZip Driver Updater\difxapi64.dll WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-O2392.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-M9CRA.tmp WinZip Driver Updater.tmp File opened for modification C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe WinZip Driver Updater.tmp File opened for modification C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\DriverUpdateHelper64.exe WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-DT1AC.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-QNRH1.tmp WinZip Driver Updater.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 4 IoCs
pid Process 4920 taskkill.exe 4528 taskkill.exe 1624 taskkill.exe 2876 taskkill.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\ = "JScript Language" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\ = "JScript Language Authoring" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\ = "JScript Language Authoring" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\ = "JScript Language" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\OLEScript regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\LIVESCRIPT AUTHOR\OLESCRIPT regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\INPROCSERVER32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\LIVESCRIPT\OLESCRIPT regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\OLEScript regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\ECMASCRIPT\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\OLEScript regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT AUTHOR\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID\ = "JScript.Compact" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\PROGID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.3\OLESCRIPT regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\OLEScript regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\CLSID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.1\OLESCRIPT regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.1 AUTHOR\CLSID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\ECMASCRIPT AUTHOR\CLSID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT.COMPACT\CLSID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\OLESCRIPT regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT\OLESCRIPT regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\PROGID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1048 WinZip Driver Updater.tmp 1048 WinZip Driver Updater.tmp 4640 msedge.exe 4640 msedge.exe 3352 msedge.exe 3352 msedge.exe 3792 identity_helper.exe 3792 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2876 taskkill.exe Token: SeDebugPrivilege 4920 taskkill.exe Token: SeDebugPrivilege 4528 taskkill.exe Token: SeDebugPrivilege 1624 taskkill.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 1048 WinZip Driver Updater.tmp 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 768 winzipdu.exe 768 winzipdu.exe 768 winzipdu.exe 768 winzipdu.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2568 wrote to memory of 1048 2568 WinZip Driver Updater.exe 90 PID 2568 wrote to memory of 1048 2568 WinZip Driver Updater.exe 90 PID 2568 wrote to memory of 1048 2568 WinZip Driver Updater.exe 90 PID 1048 wrote to memory of 2876 1048 WinZip Driver Updater.tmp 91 PID 1048 wrote to memory of 2876 1048 WinZip Driver Updater.tmp 91 PID 1048 wrote to memory of 2876 1048 WinZip Driver Updater.tmp 91 PID 1048 wrote to memory of 4920 1048 WinZip Driver Updater.tmp 93 PID 1048 wrote to memory of 4920 1048 WinZip Driver Updater.tmp 93 PID 1048 wrote to memory of 4920 1048 WinZip Driver Updater.tmp 93 PID 1048 wrote to memory of 2912 1048 WinZip Driver Updater.tmp 96 PID 1048 wrote to memory of 2912 1048 WinZip Driver Updater.tmp 96 PID 1048 wrote to memory of 2912 1048 WinZip Driver Updater.tmp 96 PID 1048 wrote to memory of 4412 1048 WinZip Driver Updater.tmp 102 PID 1048 wrote to memory of 4412 1048 WinZip Driver Updater.tmp 102 PID 1048 wrote to memory of 4412 1048 WinZip Driver Updater.tmp 102 PID 1048 wrote to memory of 3472 1048 WinZip Driver Updater.tmp 104 PID 1048 wrote to memory of 3472 1048 WinZip Driver Updater.tmp 104 PID 1048 wrote to memory of 3472 1048 WinZip Driver Updater.tmp 104 PID 1048 wrote to memory of 1716 1048 WinZip Driver Updater.tmp 106 PID 1048 wrote to memory of 1716 1048 WinZip Driver Updater.tmp 106 PID 1048 wrote to memory of 1716 1048 WinZip Driver Updater.tmp 106 PID 1048 wrote to memory of 3924 1048 WinZip Driver Updater.tmp 108 PID 1048 wrote to memory of 3924 1048 WinZip Driver Updater.tmp 108 PID 1048 wrote to memory of 3924 1048 WinZip Driver Updater.tmp 108 PID 1048 wrote to memory of 3528 1048 WinZip Driver Updater.tmp 110 PID 1048 wrote to memory of 3528 1048 WinZip Driver Updater.tmp 110 PID 1048 wrote to memory of 3528 1048 WinZip Driver Updater.tmp 110 PID 1048 wrote to memory of 4528 1048 WinZip Driver Updater.tmp 111 PID 1048 wrote to memory of 4528 1048 WinZip Driver Updater.tmp 111 PID 1048 wrote to memory of 4528 1048 WinZip Driver Updater.tmp 111 PID 1048 wrote to memory of 1624 1048 WinZip Driver Updater.tmp 115 PID 1048 wrote to memory of 1624 1048 WinZip Driver Updater.tmp 115 PID 1048 wrote to memory of 1624 1048 WinZip Driver Updater.tmp 115 PID 1048 wrote to memory of 768 1048 WinZip Driver Updater.tmp 117 PID 1048 wrote to memory of 768 1048 WinZip Driver Updater.tmp 117 PID 1048 wrote to memory of 768 1048 WinZip Driver Updater.tmp 117 PID 1048 wrote to memory of 3352 1048 WinZip Driver Updater.tmp 119 PID 1048 wrote to memory of 3352 1048 WinZip Driver Updater.tmp 119 PID 3352 wrote to memory of 1828 3352 msedge.exe 120 PID 3352 wrote to memory of 1828 3352 msedge.exe 120 PID 3352 wrote to memory of 3676 3352 msedge.exe 121 PID 3352 wrote to memory of 3676 3352 msedge.exe 121 PID 3352 wrote to memory of 3676 3352 msedge.exe 121 PID 3352 wrote to memory of 3676 3352 msedge.exe 121 PID 3352 wrote to memory of 3676 3352 msedge.exe 121 PID 3352 wrote to memory of 3676 3352 msedge.exe 121 PID 3352 wrote to memory of 3676 3352 msedge.exe 121 PID 3352 wrote to memory of 3676 3352 msedge.exe 121 PID 3352 wrote to memory of 3676 3352 msedge.exe 121 PID 3352 wrote to memory of 3676 3352 msedge.exe 121 PID 3352 wrote to memory of 3676 3352 msedge.exe 121 PID 3352 wrote to memory of 3676 3352 msedge.exe 121 PID 3352 wrote to memory of 3676 3352 msedge.exe 121 PID 3352 wrote to memory of 3676 3352 msedge.exe 121 PID 3352 wrote to memory of 3676 3352 msedge.exe 121 PID 3352 wrote to memory of 3676 3352 msedge.exe 121 PID 3352 wrote to memory of 3676 3352 msedge.exe 121 PID 3352 wrote to memory of 3676 3352 msedge.exe 121 PID 3352 wrote to memory of 3676 3352 msedge.exe 121 PID 3352 wrote to memory of 3676 3352 msedge.exe 121 PID 3352 wrote to memory of 3676 3352 msedge.exe 121 PID 3352 wrote to memory of 3676 3352 msedge.exe 121 PID 3352 wrote to memory of 3676 3352 msedge.exe 121 PID 3352 wrote to memory of 3676 3352 msedge.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe"C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp"C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp" /SL5="$D0042,3017901,168448,C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\system32\taskkill.exe" /f /im winzipdu.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\system32\taskkill.exe" /f /im DriverUpdateHelper64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\jscript.dll"3⤵
- Modifies registry class
PID:2912
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /tn "WINZIPDU-WINZIPDUDriverUpdater" /f3⤵PID:4412
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /tn "WinZipDriverUpdater" /f3⤵PID:3472
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /tn "WinZipDriverUpdaterRunAtStartup" /f3⤵PID:1716
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule "WinZipDriverUpdater"3⤵
- Modifies Windows Firewall
PID:3924
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="WinZipDriverUpdater" dir=in action=allow program="C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe"3⤵
- Modifies Windows Firewall
PID:3528
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\system32\taskkill.exe" /f /im winzipdu.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4528
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\system32\taskkill.exe" /f /im DriverUpdateHelper64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe"C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe" -firstinstall3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.winzip.com/instcmplt.cgi?pid=wzdu&vid=du23&lang=en&utm_source=winzip&utm_campaign=default&utm_medium=newbuild&LangID=en3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9c2c146f8,0x7ff9c2c14708,0x7ff9c2c147184⤵PID:1828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:24⤵PID:3676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:4640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:84⤵PID:2064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:14⤵PID:4584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:14⤵PID:4080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:14⤵PID:3144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:14⤵PID:316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:14⤵PID:4648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2300 /prefetch:14⤵PID:2036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4168 /prefetch:84⤵PID:3984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4168 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:3792
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4536
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD53472b1344ee22e7768567d73bd50c58b
SHA11ca4692e9e812d3e68874ccf4f958f452e733360
SHA25686a64a91c6c3aede88969b83fd4d400a010f397f8154106e3810e5bc2c16e9a0
SHA5125a71f2de5580f99644a860742d11074bc37597ae4f504667f9c597042d360d1fceb17047d51eb658ee7daf83a0d80d7bcf3b80299d4d0a92f27761978f3479de
-
Filesize
152KB
MD57a1a16f150ccb9cb1731327b2e03488f
SHA154ccaaf593f828c09ff5e718a69e1b0d5d904d66
SHA256ed05f590e22bc39330b9925b766b70b8213e3dd20686660021be3616e6685295
SHA5127d1e3c857f4a7b74eb403085d0a5ded5fb89c96b3e56c1ec7dd218157d588ad64f97205066d74556409d43369c92d1193fdaf6cc3f073f0bc5a4c994f584daca
-
Filesize
164KB
MD592040a0f7f7d7a3f1e12d8bb064cb3b2
SHA1df29e79c9d91ac0ee4788156ad9ea525b8fe11d7
SHA2567344bd44e4433a8f3034519f2b5745c0ced5b614c5c28bdc88cdc9acbbaef2c3
SHA512ec423ba8a6c5f11f105ba3a12c62fa500ebb2b44c6ce1064381996a818856285a817d76c0c5a57c28821a492cfb59ba31d97ab585a62f08bbec68d7c91fb9408
-
Filesize
506KB
MD51a2e5109c2bb5c68d499e17b83acb73a
SHA1efa15cfa23606dfc355d11580b509e768a50ddbb
SHA256e70bbcee0d01658ccd201ebe0f0e547b9daff01b7c593a0fdd0c64e5f45d6f11
SHA51247317d24d02c4122fe175bcd7f5b3dd8823063e7ea63f83961e40f10872642d2d6f6e6abaf5fb7630cf0e9d8cec0d112889600b14ecb8698b81597f52d54815b
-
Filesize
7.3MB
MD5dd08d3b321d56d965f2e531846ad9170
SHA188295462b6019474661c9ce7b2728689d393a9b9
SHA256673b1188f44c370902441eefc1cd1606a65c162b2a24a244db15d98ff20f3e3f
SHA512339fffdf188be7db9f3f449427eafc5fb18b1c1e6b32d27a85cc1a01b7e56ed250da25fda60c11067415a60b855874f8d156a6aaf512446f0943466878a14e4c
-
Filesize
10.8MB
MD520aaea9ccea474d982b3a6e29f4b2bd2
SHA181537a55581b070b8e9e139dddbb0b1472f24018
SHA256fec34e336445842b7576c8cc5b23dbb73ce81bff0c8ad3bceb34b93c3655031d
SHA512962c299b73fd721fd1dc766e71f7a7c9782d5005ee8c4cda4d5e436442b4e45680e510893249ddc88dc991d858d505234d6422cc49c80447a519efd718d28168
-
Filesize
152B
MD51e3dc6a82a2cb341f7c9feeaf53f466f
SHA1915decb72e1f86e14114f14ac9bfd9ba198fdfce
SHA256a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c
SHA5120a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a
-
Filesize
152B
MD536bb45cb1262fcfcab1e3e7960784eaa
SHA1ab0e15841b027632c9e1b0a47d3dec42162fc637
SHA2567c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae
SHA51202c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456
-
Filesize
6KB
MD522964c18fb8f8c651a6c18cfd25e19aa
SHA13fbe9d0f67828c4d9bfc0cbeb0b811a3b6c23dfd
SHA256c1b7b81989adf8c16345223efbb9769a99ff4176883772930fd70f5a060bdd12
SHA512e006678ed4106a52be2263ffa256850cb79ff3174f43a650b8863f4ffa7d346f8c59b61db0c534607cbd0ae56f5cae7d6bdaaaa5ebf6be1f46e19386c6b92813
-
Filesize
6KB
MD5e391f2f89919a400d3f6e113c65c3dfc
SHA13bb7fde205bfdf20ef626ccdf923668d7f716a55
SHA2566b01caf1818c36058956120d27f24795cb9e08f7a7fe6369558f4cd602d70821
SHA51245f550c3d52b011b1c861b913d2c1bfd7d9cb76bdc3d7dd9bf76e7a9f90f748df4a1ca9724de85dcee5c7c0d6ec919cef119a1ee74fdec6e9759c7e8375f74f7
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD52fdeb94ef27930195db83d07d423aedf
SHA15777126f057cdde0f2148ab064b91447abeab982
SHA256dae87051623f00df9cff5c33926f05ae01548dd59e65432f0b612e3600e4b664
SHA5128c9b3d80380bdfcc88c76bf72e55acd917b5e63ad82adb623869d10393cfac15c41e311afb2b738d1e44d80f7f8b6f7366c183d88a0f43b3c718f3e5db7840d3
-
Filesize
11KB
MD5074f507263b419718d5b182bf8d3c61b
SHA16fdb2db1389ec4502c7c84fb8534e5b65cffb6c0
SHA25602b96f22cb08b86ef49e367146c4ea21b74dcb0b3bf660cf2dffe1f6c47a8468
SHA512e5fefffdb5fcae9207af1034f4d52fa3c209b26b6456c86ffa90bed784891cc92978cf0dc0b087a8b69f4aa4235b83ad9512b14ff9a211cd8ff2dab1e839e10b
-
Filesize
1.1MB
MD503a5ddae8f18c3390aee71cbc8571756
SHA1902397a802c3149fca07ed6a6366cfe704998a42
SHA256709101ba21638ab3ac941b1edf60e6a35a6422ea8cdb29acb84fe9006e997ce1
SHA51201176428e86d85980cff42b96daa3d6d3fe9647b8f31c83cea14ebcf59b877e9c7af6d69c8a1278ecbec3ebe35d1f3ee5da8651955fb8b81c32d75f536c33da4