Edit tour

Windows Analysis Report
WinZip Smart Monitor Service.exe

Overview

General Information

Sample name:	WinZip Smart Monitor Service.exe
Analysis ID:	1546675
MD5:	ecd432986963e97a86a806aa604e8f88
SHA1:	96c4521574a7bf110166d661904fa0cedbfec5f0
SHA256:	ee0a88f7b0f818c49f0360aec035baa81eed8b2769e9d9fc9959b3c1e974a161

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

WinZip Smart Monitor Service.exe (PID: 7296 cmdline: "C:\Users\user\Desktop\WinZip Smart Monitor Service.exe" MD5: ECD432986963E97A86A806AA604E8F88)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: WinZip Smart Monitor Service.exe

Static PE information: certificate valid

Source: WinZip Smart Monitor Service.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\Pulse_git\bin\x64\Release\WinZip Smart Monitor Service.pdb source: WinZip Smart Monitor Service.exe

Source: WinZip Smart Monitor Service.exe, 00000000.00000003.1654543161.0000023388E31000.00000004.00000020.00020000.00000000.sdmp, WinZip Smart Monitor Service.exe, 00000000.00000003.1654484556.0000023388E23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert
Source: WinZip Smart Monitor Service.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: WinZip Smart Monitor Service.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: WinZip Smart Monitor Service.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: WinZip Smart Monitor Service.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: WinZip Smart Monitor Service.exe, 00000000.00000002.1655136959.0000023388E39000.00000004.00000020.00020000.00000000.sdmp, WinZip Smart Monitor Service.exe, 00000000.00000003.1654612613.0000023388E32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.di
Source: WinZip Smart Monitor Service.exe, 00000000.00000003.1654484556.0000023388DE6000.00000004.00000020.00020000.00000000.sdmp, WinZip Smart Monitor Service.exe, 00000000.00000003.1654627488.0000023388DE6000.00000004.00000020.00020000.00000000.sdmp, WinZip Smart Monitor Service.exe, 00000000.00000003.1654690322.0000023388DE9000.00000004.00000020.00020000.00000000.sdmp, WinZip Smart Monitor Service.exe, 00000000.00000002.1655008522.0000023388DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0E
Source: WinZip Smart Monitor Service.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: WinZip Smart Monitor Service.exe, 00000000.00000003.1654484556.0000023388DE6000.00000004.00000020.00020000.00000000.sdmp, WinZip Smart Monitor Service.exe, 00000000.00000003.1654627488.0000023388DE6000.00000004.00000020.00020000.00000000.sdmp, WinZip Smart Monitor Service.exe, 00000000.00000003.1654690322.0000023388DE9000.00000004.00000020.00020000.00000000.sdmp, WinZip Smart Monitor Service.exe, 00000000.00000002.1655008522.0000023388DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256Ti
Source: WinZip Smart Monitor Service.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: WinZip Smart Monitor Service.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: WinZip Smart Monitor Service.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: WinZip Smart Monitor Service.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: WinZip Smart Monitor Service.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: WinZip Smart Monitor Service.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: WinZip Smart Monitor Service.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: WinZip Smart Monitor Service.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: WinZip Smart Monitor Service.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: WinZip Smart Monitor Service.exe	String found in binary or memory: https://updaterv.winzip.com/api/updateWZSNUpdates
Source: WinZip Smart Monitor Service.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: classification engine

Classification label: clean0.winEXE@1/0@0/0

Source: WinZip Smart Monitor Service.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\WinZip Smart Monitor Service.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: WinZip Smart Monitor Service.exe

String found in binary or memory: /INSTALLPATH%s=%s-run"

Source: C:\Users\user\Desktop\WinZip Smart Monitor Service.exe

File read: C:\Users\user\Desktop\WinZip Smart Monitor Service.exe

Jump to behavior

Source: C:\Users\user\Desktop\WinZip Smart Monitor Service.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinZip Smart Monitor Service.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinZip Smart Monitor Service.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinZip Smart Monitor Service.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinZip Smart Monitor Service.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinZip Smart Monitor Service.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinZip Smart Monitor Service.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinZip Smart Monitor Service.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinZip Smart Monitor Service.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinZip Smart Monitor Service.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinZip Smart Monitor Service.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinZip Smart Monitor Service.exe	Section loaded: gpapi.dll	Jump to behavior

Source: WinZip Smart Monitor Service.exe

Static PE information: certificate valid

Source: WinZip Smart Monitor Service.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: WinZip Smart Monitor Service.exe

Static file information: File size 1489392 > 1048576

Source: WinZip Smart Monitor Service.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: WinZip Smart Monitor Service.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: WinZip Smart Monitor Service.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: WinZip Smart Monitor Service.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: WinZip Smart Monitor Service.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: WinZip Smart Monitor Service.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: WinZip Smart Monitor Service.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: WinZip Smart Monitor Service.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\Pulse_git\bin\x64\Release\WinZip Smart Monitor Service.pdb source: WinZip Smart Monitor Service.exe

Source: WinZip Smart Monitor Service.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: WinZip Smart Monitor Service.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: WinZip Smart Monitor Service.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: WinZip Smart Monitor Service.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: WinZip Smart Monitor Service.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\WinZip Smart Monitor Service.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	OS Credential Dumping	3 System Information Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
WinZip Smart Monitor Service.exe	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://crl3.di	WinZip Smart Monitor Service.exe, 00000000.00000002.1655136959.0000023388E39000.00000004.00000020.00020000.00000000.sdmp, WinZip Smart Monitor Service.exe, 00000000.00000003.1654612613.0000023388E32000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://updaterv.winzip.com/api/updateWZSNUpdates	WinZip Smart Monitor Service.exe	false	unknown
http://cacerts.digicert	WinZip Smart Monitor Service.exe, 00000000.00000003.1654543161.0000023388E31000.00000004.00000020.00020000.00000000.sdmp, WinZip Smart Monitor Service.exe, 00000000.00000003.1654484556.0000023388E23000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546675
Start date and time:	2024-11-01 12:43:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WinZip Smart Monitor Service.exe
Detection:	CLEAN
Classification:	clean0.winEXE@1/0@0/0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Report size getting too big, too many NtOpenKeyEx calls found.
VT rate limit hit for: WinZip Smart Monitor Service.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.306567706345787
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	WinZip Smart Monitor Service.exe
File size:	1'489'392 bytes
MD5:	ecd432986963e97a86a806aa604e8f88
SHA1:	96c4521574a7bf110166d661904fa0cedbfec5f0
SHA256:	ee0a88f7b0f818c49f0360aec035baa81eed8b2769e9d9fc9959b3c1e974a161
SHA512:	54f5ef97f846970d4e2584480a1c2690289af123cf0ef5c243eb4797cb2567e8a1ddbe0be0920fd27590480463e62d88379a21d35cd2222560e32b87b13c0e1b
SSDEEP:	24576:TVC5QcF4WT6qA8IhikXYN4ds4yufBIERA+7QqyS9V7sxnNHgw8syrWd1JuiUphsk:pQQciWT6qA8IhikXYN4ds4yufBIERA+I
TLSH:	10657D2677A840F8C0ABC139C4829A4AF6F274414B318BDF56A9471E1F37BE54E7E721
File Content Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........;..eU..eU..eU.%....eU.%...9eU.%....eU.L....eU...V..eU...P..eU...Q..eU...P..eU.L....eU.L....eU..eT..dU...P..eU.3.P..eU.3.U..eU

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x1400a7c7c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x62949E4D [Mon May 30 10:37:01 2022 UTC]
TLS Callbacks:	0x400a6d10, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	a4f1b9062c2ba7543824a9d83dc6b8ca

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	20/10/2020 01:00:00 25/10/2022 00:59:59
Subject Chain	CN=Corel Corporation, O=Corel Corporation, L=Ottawa, S=Ontario, C=CA
Version:	3
Thumbprint MD5:	9BD28747B14C6A7CAEDF1BE843ED884B
Thumbprint SHA-1:	3D7B466ED8E2AB906D806FB439B0CBBFAEF1F125
Thumbprint SHA-256:	06094AF0ED0D9DE7AC9571FCAE4BEE97C3AAFBE853B93EA06661A5C11857F3C4
Serial:	099480698F2880AA5E6CBACE72F02677

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FA728BE8004h
dec eax
add esp, 28h
jmp 00007FA728BE797Fh
int3
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 20h
dec ebp
mov edx, dword ptr [ecx+38h]
dec eax
mov esi, edx
dec ebp
mov esi, eax
dec eax
mov ebp, ecx
dec ecx
mov edx, ecx
dec eax
mov ecx, esi
dec ecx
mov edi, ecx
inc ecx
mov ebx, dword ptr [edx]
dec eax
shl ebx, 04h
dec ecx
add ebx, edx
dec esp
lea eax, dword ptr [ebx+04h]
call 00007FA728BE76BBh
mov eax, dword ptr [ebp+04h]
and al, 66h
neg al
mov eax, 00000001h
sbb edx, edx
neg edx
add edx, eax
test dword ptr [ebx+04h], edx
je 00007FA728BE7B13h
dec esp
mov ecx, edi
dec ebp
mov eax, esi
dec eax
mov edx, esi
dec eax
mov ecx, ebp
call 00007FA728BEEE8Bh
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov ebp, dword ptr [esp+38h]
dec eax
mov esi, dword ptr [esp+40h]
dec eax
mov edi, dword ptr [esp+48h]
dec eax
add esp, 20h
inc ecx
pop esi
ret
int3
int3
int3
dec eax
lea ecx, dword ptr [000B56A1h]
dec eax
jmp dword ptr [0004A89Ah]
int3
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push edi
dec eax
sub esp, 10h
xor eax, eax
mov dword ptr [000A44F9h], 00000002h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1474e0	0x2068	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x149548	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16b000	0x8e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x15f000	0xbf34	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x167c00	0x3df0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x16c000	0x2134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x11a490	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x11a5f0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x11a4f0	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xf2000	0x828	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xf06fc	0xf0800	d61f55a14e387ad83de373db6ef45801	False	0.43717414078742206	data	6.402101129005369	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xf2000	0x591e6	0x59200	732c42e89638a187cda8ca778b8afb82	False	0.33073555838008417	DIY-Thermocam raw data (Lepton 2.x), scale 18432-19200, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 131072.000000, slope 128.292969	4.675790490679106	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x14c000	0x12254	0xf200	eab3d215d4aab60e57a8052cbd39bc4b	False	0.08314501549586777	data	4.755599301663273	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x15f000	0xbf34	0xc000	4224f7f09598b496196afc25b56e3af2	False	0.5048828125	data	6.036190295869243	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x16b000	0x8e8	0xa00	65635d3c678adec311c6c76a8f871d93	False	0.394140625	data	4.888484362293089	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x16c000	0x2134	0x2200	2736282ffeb29e0df2733fb336acf4cf	False	0.3185891544117647	data	5.413141179724081	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
REGISTRY	0x16b144	0xa1	ASCII text, with CRLF line terminators	English	United States	0.6832298136645962
RT_STRING	0x16b1e8	0x58	data	English	United States	0.6704545454545454
RT_VERSION	0x16b240	0x3d4	data	English	United States	0.4459183673469388
RT_MANIFEST	0x16b614	0x2d2	exported SGML document, ASCII text, with CRLF line terminators	English	United States	0.45290858725761773

Imports

DLL	Import
KERNEL32.dll	WaitForSingleObject, GetCurrentProcessId, GetCurrentProcess, WaitForSingleObjectEx, DeleteFileW, InitializeCriticalSectionAndSpinCount, CreateEventW, OpenThread, ReleaseMutex, CreateMutexW, ExpandEnvironmentStringsW, GetFileAttributesExW, GetUserDefaultLangID, GetFileAttributesW, OpenEventA, ResetEvent, VerSetConditionMask, Process32NextW, SetEndOfFile, WriteConsoleW, CreateFileW, SetStdHandle, Process32FirstW, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, SetFilePointerEx, ReadConsoleW, ReadFile, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetTimeZoneInformation, CreateToolhelp32Snapshot, WaitForMultipleObjects, LocalAlloc, OpenProcess, ProcessIdToSessionId, TerminateProcess, SetLastError, MoveFileExW, GetTempPathW, GetTempFileNameW, TerminateThread, QueryPerformanceFrequency, QueryPerformanceCounter, SetThreadPriority, DecodePointer, WideCharToMultiByte, MultiByteToWideChar, FindResourceW, lstrcmpiW, LocalFree, SizeofResource, LockResource, LoadResource, LoadLibraryExW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, FreeLibrary, FindResourceExW, GetCurrentThreadId, Sleep, CreateEventA, SetEvent, DeleteCriticalSection, InitializeCriticalSectionEx, LeaveCriticalSection, EnterCriticalSection, GetProcessHeap, GetCommandLineW, HeapSize, HeapFree, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetFileType, GetACP, WriteFile, GetStdHandle, ExitProcess, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, CreateThread, VerifyVersionInfoW, GetTickCount, HeapReAlloc, HeapAlloc, HeapDestroy, GetLastError, RaiseException, CloseHandle, SetCurrentDirectoryW, InterlockedPushEntrySList, IsDebuggerPresent, OutputDebugStringW, GetStringTypeW, GetCPInfo, EncodePointer, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, CompareStringW, LCMapStringW, GetLocaleInfoW, ReleaseSemaphore, WaitForMultipleObjectsEx, SetWaitableTimer, ResumeThread, GetModuleHandleA, CreateWaitableTimerA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, InitializeSListHead, GetStartupInfoW, RtlPcToFileHeader, RtlUnwindEx, RtlUnwind
USER32.dll	DispatchMessageW, PostThreadMessageW, TranslateMessage, GetMessageW, CharUpperW, CharNextW, MessageBoxW, LoadStringW
SHELL32.dll	ShellExecuteW, SHGetFolderPathW, SHCreateDirectoryExW
ole32.dll	CoTaskMemRealloc, CoTaskMemAlloc, CoInitializeSecurity, CoSetProxyBlanket, CoUninitialize, CoCreateInstance, CoReleaseServerProcess, CoAddRefServerProcess, CoInitializeEx, CoTaskMemFree
OLEAUT32.dll	SysAllocStringLen, VariantInit, SysAllocString, SysFreeString, VarUI4FromStr, VariantClear
ADVAPI32.dll	CryptDestroyHash, CryptDestroyKey, CryptDeriveKey, DeregisterEventSource, RegisterEventSourceW, ReportEventW, QueryServiceConfigW, CryptHashData, CryptCreateHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextW, LookupPrivilegeValueW, AdjustTokenPrivileges, ConvertSidToStringSidW, QueryServiceStatusEx, GetTokenInformation, OpenProcessToken, CreateProcessAsUserW, ConvertStringSidToSidW, UnlockServiceDatabase, StartServiceCtrlDispatcherW, SetServiceStatus, RegisterServiceCtrlHandlerW, OpenServiceW, OpenSCManagerW, LockServiceDatabase, DeleteService, CreateServiceW, ControlService, CloseServiceHandle, ChangeServiceConfig2W, ChangeServiceConfigW, RegSetValueExW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegCloseKey, LookupAccountSidW, CryptDecrypt
WTSAPI32.dll	WTSQueryUserToken, WTSWaitSystemEvent, WTSFreeMemory, WTSQuerySessionInformationW, WTSEnumerateSessionsW
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINTRUST.dll	WinVerifyTrust
CRYPT32.dll	CertFindCertificateInStore, CertCloseStore, CryptMsgClose, CertFreeCertificateContext, CertGetNameStringW, CryptQueryObject, CryptMsgGetParam
WINHTTP.dll	WinHttpCloseHandle, WinHttpQueryHeaders, WinHttpOpenRequest, WinHttpGetDefaultProxyConfiguration, WinHttpGetIEProxyConfigForCurrentUser, WinHttpSetOption, WinHttpConnect, WinHttpReadData, WinHttpSendRequest, WinHttpQueryDataAvailable, WinHttpOpen, WinHttpSetCredentials, WinHttpReceiveResponse, WinHttpQueryAuthSchemes
WININET.dll	InternetQueryDataAvailable, HttpQueryInfoW, InternetSetOptionW, HttpSendRequestW, HttpOpenRequestW, InternetConnectW, InternetCloseHandle, InternetReadFile, InternetOpenW

Exports

Name	Ordinal	Address
??0?$oserializer@Vtext_oarchive@archive@boost@@V?$set@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@V?$allocator@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@std@@@detail@archive@boost@@QEAA@XZ	1	0x1400630c0
??0?$oserializer@Vtext_oarchive@archive@boost@@VCSMSettingsStorage@PulseService@@@detail@archive@boost@@QEAA@XZ	2	0x1400630f0
??0?$singleton@V?$extended_type_info_typeid@V?$set@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@V?$allocator@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@std@@@serialization@boost@@@serialization@boost@@IEAA@XZ	3	0x14000c430
??0?$singleton@V?$extended_type_info_typeid@VCSMSettingsStorage@PulseService@@@serialization@boost@@@serialization@boost@@IEAA@XZ	4	0x14000c430
?get_const_instance@?$singleton@V?$extended_type_info_typeid@V?$set@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@V?$allocator@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@std@@@serialization@boost@@@serialization@boost@@SAAEBV?$extended_type_info_typeid@V?$set@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@V?$al	5	0x1400688b0
?get_const_instance@?$singleton@V?$extended_type_info_typeid@VCSMSettingsStorage@PulseService@@@serialization@boost@@@serialization@boost@@SAAEBV?$extended_type_info_typeid@VCSMSettingsStorage@PulseService@@@23@XZ	6	0x1400688c0
?get_const_instance@?$singleton@V?$iserializer@Vtext_iarchive@archive@boost@@V?$set@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@V?$allocator@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@std@@@detail@archive@boost@@@serialization@boost@@SAAEBV?$iserializer@Vtext_iarchive@archive@boost@@V?$set@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@U?$less@V?$basic_string@DU?$char_traits@D@std	7	0x1400688d0
?get_const_instance@?$singleton@V?$iserializer@Vtext_iarchive@archive@boost@@VCSMSettingsStorage@PulseService@@@detail@archive@boost@@@serialization@boost@@SAAEBV?$iserializer@Vtext_iarchive@archive@boost@@VCSMSettingsStorage@PulseService@@@detail@archive@3@XZ	8	0x1400688e0
?get_const_instance@?$singleton@V?$map@Vtext_iarchive@archive@boost@@@extra_detail@detail@archive@boost@@@serialization@boost@@SAAEBV?$map@Vtext_iarchive@archive@boost@@@extra_detail@detail@archive@3@XZ	9	0x1400abaa0
?get_const_instance@?$singleton@V?$map@Vtext_oarchive@archive@boost@@@extra_detail@detail@archive@boost@@@serialization@boost@@SAAEBV?$map@Vtext_oarchive@archive@boost@@@extra_detail@detail@archive@3@XZ	10	0x1400ad950
?get_const_instance@?$singleton@V?$multiset@PEBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PEBVextended_type_info@serialization@boost@@@std@@@std@@@serialization@boost@@SAAEBV?$multiset@PEBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PEBVextended_type_info@serialization@boost@@@std@@@std@@XZ	11	0x1400aa8d0
?get_const_instance@?$singleton@V?$multiset@PEBVextended_type_info_typeid_0@typeid_system@serialization@boost@@Utype_compare@234@V?$allocator@PEBVextended_type_info_typeid_0@typeid_system@serialization@boost@@@std@@@std@@@serialization@boost@@SAAEBV?$multiset@PEBVextended_type_info_typeid_0@typeid_system@serialization@boost@@Utype_compare@234@V?$allocator@PEBVextended_type_info_typeid_0@typeid_system@serialization@boost@@@std@@@std@@XZ	12	0x1400aad00
?get_const_instance@?$singleton@V?$oserializer@Vtext_oarchive@archive@boost@@V?$set@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@V?$allocator@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@std@@@detail@archive@boost@@@serialization@boost@@SAAEBV?$oserializer@Vtext_oarchive@archive@boost@@V?$set@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@U?$less@V?$basic_string@DU?$char_traits@D@std	13	0x1400688f0
?get_const_instance@?$singleton@V?$oserializer@Vtext_oarchive@archive@boost@@VCSMSettingsStorage@PulseService@@@detail@archive@boost@@@serialization@boost@@SAAEBV?$oserializer@Vtext_oarchive@archive@boost@@VCSMSettingsStorage@PulseService@@@detail@archive@3@XZ	14	0x140068900
?get_lock@singleton_module@serialization@boost@@AEAAAEA_NXZ	15	0x140068d30
?get_mutable_instance@?$singleton@V?$map@Vtext_iarchive@archive@boost@@@extra_detail@detail@archive@boost@@@serialization@boost@@SAAEAV?$map@Vtext_iarchive@archive@boost@@@extra_detail@detail@archive@3@XZ	16	0x1400abaa0
?get_mutable_instance@?$singleton@V?$map@Vtext_oarchive@archive@boost@@@extra_detail@detail@archive@boost@@@serialization@boost@@SAAEAV?$map@Vtext_oarchive@archive@boost@@@extra_detail@detail@archive@3@XZ	17	0x1400ad950
?get_mutable_instance@?$singleton@V?$multiset@PEBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PEBVextended_type_info@serialization@boost@@@std@@@std@@@serialization@boost@@SAAEAV?$multiset@PEBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PEBVextended_type_info@serialization@boost@@@std@@@std@@XZ	18	0x1400aa8d0
?get_mutable_instance@?$singleton@V?$multiset@PEBVextended_type_info_typeid_0@typeid_system@serialization@boost@@Utype_compare@234@V?$allocator@PEBVextended_type_info_typeid_0@typeid_system@serialization@boost@@@std@@@std@@@serialization@boost@@SAAEAV?$multiset@PEBVextended_type_info_typeid_0@typeid_system@serialization@boost@@Utype_compare@234@V?$allocator@PEBVextended_type_info_typeid_0@typeid_system@serialization@boost@@@std@@@std@@XZ	19	0x1400aad00
?is_destroyed@?$singleton@V?$map@Vtext_iarchive@archive@boost@@@extra_detail@detail@archive@boost@@@serialization@boost@@SA_NXZ	20	0x1400abd50
?is_destroyed@?$singleton@V?$map@Vtext_oarchive@archive@boost@@@extra_detail@detail@archive@boost@@@serialization@boost@@SA_NXZ	21	0x1400adc20
?is_destroyed@?$singleton@V?$multiset@PEBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PEBVextended_type_info@serialization@boost@@@std@@@std@@@serialization@boost@@SA_NXZ	22	0x1400aa980
?is_destroyed@?$singleton@V?$multiset@PEBVextended_type_info_typeid_0@typeid_system@serialization@boost@@Utype_compare@234@V?$allocator@PEBVextended_type_info_typeid_0@typeid_system@serialization@boost@@@std@@@std@@@serialization@boost@@SA_NXZ	23	0x1400aadb0
?is_locked@singleton_module@serialization@boost@@QEAA_NXZ	24	0x140068de0
?load_object_data@?$iserializer@Vtext_iarchive@archive@boost@@V?$set@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@V?$allocator@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@std@@@detail@archive@boost@@UEBAXAEAVbasic_iarchive@234@PEAXI@Z	25	0x140069030
?load_object_data@?$iserializer@Vtext_iarchive@archive@boost@@VCSMSettingsStorage@PulseService@@@detail@archive@boost@@UEBAXAEAVbasic_iarchive@234@PEAXI@Z	26	0x140069040
?lock@?1??get_lock@singleton_module@serialization@boost@@AEAAAEA_NXZ@4_NA	27	0x14015c438
?lock@singleton_module@serialization@boost@@QEAAXXZ	28	0x140069120
?save_object_data@?$oserializer@Vtext_oarchive@archive@boost@@V?$set@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@V?$allocator@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@std@@@detail@archive@boost@@UEBAXAEAVbasic_oarchive@234@PEBX@Z	29	0x1400697c0
?save_object_data@?$oserializer@Vtext_oarchive@archive@boost@@VCSMSettingsStorage@PulseService@@@detail@archive@boost@@UEBAXAEAVbasic_oarchive@234@PEBX@Z	30	0x140069800
?unlock@singleton_module@serialization@boost@@QEAAXXZ	31	0x140069910

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: WinZip Smart Monitor Service.exePID: 7296, Parent PID: 2580

General

Target ID:	0
Start time:	07:44:45
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\WinZip Smart Monitor Service.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\WinZip Smart Monitor Service.exe"
Imagebase:	0x7ff6bf430000
File size:	1'489'392 bytes
MD5 hash:	ECD432986963E97A86A806AA604E8F88
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WinZip Smart Monitor Service.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: WinZip Smart Monitor Service.exePID: 7296, Parent PID: 2580

General

Chronological Activities

Disassembly

Windows Analysis Report
WinZip Smart Monitor Service.exe