PUA_INSTALLCORE.GY

February 22, 2018

Analysis by: Byron Jon Gelera

ALIASES:

a variant of Win32/InstallCore.ANQ potentially unwanted (ESET-NOD32)

PLATFORM:

Windows

OVERALL RISK RATING:

DAMAGE POTENTIAL:

DISTRIBUTION POTENTIAL:

REPORTED INFECTION:

INFORMATION EXPOSURE:

Threat Type: Potentially Unwanted Application
Destructiveness: No
Encrypted:
In the wild: Yes

OVERVIEW

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be manually installed by a user.

TECHNICAL DETAILS

File Size: 1,465,784 bytes

File Type: EXE

Initial Samples Received Date: 22 Feb 2018

Arrival Details

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be manually installed by a user.

Installation

This Potentially Unwanted Application adds the following folders:

%User Temp%\in{random}
%Program Files%\WinZip

It drops the following files:

%User Temp%\{random}.log
%User Temp%\ICReinstall_123.exe
%Desktop%\Continue WinZip Installation.lnk
%User Temp%\in{random}\css\ie6_main.css
%User Temp%\in{random}\css\main.css
%User Temp%\in{random}\css\sdk-ui\browse.css
%User Temp%\in{random}\css\sdk-ui\button.css
%User Temp%\in{random}\css\sdk-ui\checkbox.css
%User Temp%\in{random}\css\sdk-ui\images\button-bg.png
%User Temp%\in{random}\css\sdk-ui\images\progress-bg-corner.png
%User Temp%\in{random}\css\sdk-ui\images\progress-bg.png
%User Temp%\in{random}\css\sdk-ui\images\progress-bg2.png
%User Temp%\in{random}\css\sdk-ui\progress-bar.css
%User Temp%\in{random}\csshover3.htc
%User Temp%\in{random}\form.bmp.Mask
%User Temp%\in{random}\images\arrow.png
%User Temp%\in{random}\images\BG.png
%User Temp%\in{random}\images\Close.png
%User Temp%\in{random}\images\Close_Hover.png
%User Temp%\in{random}\images\Color_Button.png
%User Temp%\in{random}\images\Color_Button_Hover.png
%User Temp%\in{random}\images\Grey_Button.png
%User Temp%\in{random}\images\Grey_Button_Hover.png
%User Temp%\in{random}\images\Loader.gif
%User Temp%\in{random}\images\Progress.png
%User Temp%\in{random}\images\ProgressBar.png
%User Temp%\in{random}\images\Welcome_BG.jpg
%User Temp%\in{random}\locale\CS.locale
%User Temp%\in{random}\locale\DE.locale
%User Temp%\in{random}\locale\EN.locale
%User Temp%\in{random}\locale\ES.locale
%User Temp%\in{random}\locale\FR.locale
%User Temp%\in{random}\locale\IT.locale
%User Temp%\in{random}\locale\JA.locale
%User Temp%\in{random}\locale\KO.locale
%User Temp%\in{random}\locale\NL.locale
%User Temp%\in{random}\locale\PT.locale
%User Temp%\in{random}\locale\RU.locale
%User Temp%\in{random}\locale\TW.locale
%User Temp%\in{random}\locale\ZH.locale
%User Temp%\in{random}\wnzpw.dll
%User Temp%\in{random}\bootstrap_37123.html
%ProgramData%\WinZip\ipp.cfg
%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Preloader.lnk
%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\FAH.lnk
%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinZip 20.5\WinZip 20.5.lnk
%ProgramData%\Microsoft\Windows\Start Menu\WinZip.lnk
%Desktop%\WinZip.lnk
%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\Update Notifier.lnk
%ProgramData%\Microsoft\Windows\Start Menu\Update Notifier.lnk
%ProgramData%\Microsoft\Windows\Start Menu\WinZip BG Tools.lnk
%ProgramData%\WinZip\WinZip.addon
%Program Files%\WinZip\WZSHLSTB.DLL
%Program Files%\WinZip\WZCAB3.DLL
%Program Files%\WinZip\WZFILVW32.OCX
%Program Files%\WinZip\WZVINFO32.DLL
%Program Files%\WinZip\WZSHLEX1.DLL
%Program Files%\WinZip\WINZIP32.EXE
%Program Files%\WinZip\WZZPMAIL32.DLL
%Program Files%\WinZip\WZ32.DLL
%Program Files%\WinZip\WZQKPICK32.EXE
%Program Files%\WinZip\WZSEPE32.EXE
%Program Files%\WinZip\WZFLDVW32.OCX
%Program Files%\WinZip\WZCKTREE32.DLL
%Program Files%\WinZip\WZEAY32.DLL
%Program Files%\WinZip\WZMSG.EXE
%Program Files%\WinZip\en-US\MYDOCS.WJF
%Program Files%\WinZip\en-US\wzfldvw32.ocx.mui
%Program Files%\WinZip\en-US\MYFAVS.WJF
%Program Files%\WinZip\en-US\MYE-MAIL.WJF
%Program Files%\WinZip\en-US\MYDSKTOP.WJF
%Program Files%\WinZip\en-US\USRCOMBO.WJF
%Program Files%\WinZip\WZGDIP32.DLL
%Program Files%\WinZip\WZIMGV32.DLL
%Program Files%\WinZip\WZWIA32.DLL
%Program Files%\WinZip\7ZXA32.DLL
%Program Files%\WinZip\LDCdBldr32.dll
%Program Files%\WinZip\VirtCDRDrv32.dll
%Program Files%\WinZip\wzwipe32.exe
%Program Files%\WinZip\WzPreviewer32.exe
%Program Files%\WinZip\en-US\LIBALL.WJF
%Program Files%\WinZip\en-US\LIBPICS.WJF
%Program Files%\WinZip\en-US\LIBDOCS.WJF
%Program Files%\WinZip\en-US\winzip32.exe.mui
%Program Files%\WinZip\en-US\WzPreviewer32.exe.mui
%Program Files%\WinZip\en-US\wzcab64.dll.mui
%Program Files%\WinZip\en-US\wzqkpick32.exe.mui
%Program Files%\WinZip\en-US\wzimgv32.dll.mui
%Program Files%\WinZip\en-US\wzshlx64.dll.mui
%Program Files%\WinZip\en-US\wzcab3.dll.mui
%Program Files%\WinZip\en-US\wzshlex1.dll.mui
%Program Files%\WinZip\en-US\WzWia32.dll.mui
%Program Files%\WinZip\en-US\WzCkTree32.dll.mui
%Program Files%\WinZip\en-US\wzsepe32.exe.mui
%Program Files%\WinZip\en-US\wzfilvw32.ocx.mui
%Program Files%\WinZip\0100WZ.wzconfig
%Program Files%\WinZip\en-US\wzwipe32.exe.mui
%Program Files%\WinZip\en-US\wz32.dll.mui
%Program Files%\WinZip\en-US\wzzpmail32.dll.mui
%Program Files%\WinZip\WzBanner.dll
%Program Files%\WinZip\Utils\WzSysScan\lang.lng
%Program Files%\WinZip\Utils\WzSysScan\WINZIPSSPrivacyProtector.exe
%Program Files%\WinZip\Utils\WzSysScan\KillWINZIPSSProcesses.exe
%Program Files%\WinZip\Utils\WzSysScan\Microsoft.VC90.ATL.manifest
%Program Files%\WinZip\Utils\WzSysScan\MFC90ESP.dll
%Program Files%\WinZip\Utils\WzSysScan\privprotector.ini
%Program Files%\WinZip\Utils\WzSysScan\WINZIPSSSystemCleaner.exe
%Program Files%\WinZip\Utils\WzSysScan\msvcp90.dll
%Program Files%\WinZip\Utils\WzSysScan\wzpsssys.dll
%Program Files%\WinZip\Utils\WzSysScan\MFC90DEU.dll
%Program Files%\WinZip\Utils\WzSysScan\regclean.ini
%Program Files%\WinZip\Utils\WzSysScan\WINZIPSSHelper.dll
%Program Files%\WinZip\Utils\WzSysScan\msvcr90.dll
%Program Files%\WinZip\Utils\WzSysScan\mfc90u.dll
%Program Files%\WinZip\Utils\WzSysScan\MFC90ITA.dll
%Program Files%\WinZip\Utils\WzSysScan\MFC90FRA.dll
%Program Files%\WinZip\Utils\WzSysScan\client.ini
%Program Files%\WinZip\Utils\WzSysScan\Microsoft.VC90.MFC.manifest
%Program Files%\WinZip\Utils\WzSysScan\MFC90JPN.dll
%Program Files%\WinZip\Utils\WzSysScan\sysclean.ini
%Program Files%\WinZip\Utils\WzSysScan\aso.ini
%Program Files%\WinZip\Utils\WzSysScan\atl90.dll
%Program Files%\WinZip\Utils\WzSysScan\asores.dll
%Program Files%\WinZip\Utils\WzSysScan\sqlite3.dll
%Program Files%\WinZip\Utils\WzSysScan\Microsoft.VC90.CRT.manifest
%Program Files%\WinZip\Utils\WzSysScan\MFC90ENU.dll
%Program Files%\WinZip\Utils\WzSysScan\MFC90KOR.dll
%Program Files%\WinZip\Utils\WzSysScan\Microsoft.VC90.MFCLOC.manifest
%Program Files%\WinZip\Utils\WzSysScan\regopt.ini
%Program Files%\WinZip\Utils\WzSysScan\WINZIPSSRegistryOptimizer.exe
%Program Files%\WinZip\Utils\WzSysScan\MFC90CHS.dll
%Program Files%\WinZip\Utils\WzSysScan\asohtm.dll
%Program Files%\WinZip\Utils\WzSysScan\MFC90CHT.dll
%Program Files%\WinZip\Utils\WzSysScan\MFC90ESN.dll
%Program Files%\WinZip\Utils\WzSysScan\WINZIPSS.exe
%Program Files%\WinZip\Utils\WzSysScan\WINZIPSSRegClean.exe
%Program Files%\WinZip\Utils\WzSysScan\xmllite.dll
%Program Files%\WinZip\ULCDRDrv32.dll
%Program Files%\WinZip\WzWXFfbsm32.dll
%Program Files%\WinZip\SMProvider32.dll
%Program Files%\WinZip\en-US\SMProvider32.dll.mui
%Program Files%\WinZip\LdrtBurn32.DLL
%Program Files%\WinZip\LudfWrtr32.DLL
%Program Files%\WinZip\WzWFR32.dll
%Program Files%\WinZip\en-US\WzWFR32.dll.mui
%Program Files%\WinZip\WzWXFivrs32.dll
%Program Files%\WinZip\en-US\WzWXFivrs32.dll.mui
%Program Files%\WinZip\WzWXFd2p32.dll
%Program Files%\WinZip\en-US\WzWXFd2p32.dll.mui
%Program Files%\WinZip\Aspose.Words.xml
%Program Files%\WinZip\Aspose.Words.dll
%Program Files%\WinZip\Aspose.Slides.xml
%Program Files%\WinZip\Aspose.Slides.dll
%Program Files%\WinZip\Aspose.Pdf.xml
%Program Files%\WinZip\Aspose.Pdf.dll
%Program Files%\WinZip\Aspose.Cells.xml
%Program Files%\WinZip\Aspose.Cells.dll
%Program Files%\WinZip\WzWXFwmrk32.dll
%Program Files%\WinZip\en-US\WzWXFwmrk32.dll.mui
%Program Files%\WinZip\WzWXFoned32.dll
%Program Files%\WinZip\WzWXFgdrv32.dll
%Program Files%\WinZip\WzWXFdbox32.dll
%Program Files%\WinZip\System.CoreEx.dll
%Program Files%\WinZip\System.Threading.dll
%Program Files%\WinZip\CloudStoragePicker.dll
%Program Files%\WinZip\CloudStorageService.dll
%Program Files%\WinZip\WINZIP32.exe.config
%Program Files%\WinZip\en-US\CloudStoragePicker.resources.dll
%Program Files%\WinZip\WzWXFlkin32.dll
%Program Files%\WinZip\WzWXFbox32.dll
%Program Files%\WinZip\WzWXFcldme32.dll
%Program Files%\WinZip\en-US\CloudMeService.resources.dll
%Program Files%\WinZip\en-US\ZipShareService.resources.dll
%Program Files%\WinZip\en-US\SugarSyncService.resources.dll
%Program Files%\WinZip\BoxService.dll
%Program Files%\WinZip\CloudMeService.dll
%Program Files%\WinZip\DropboxService.dll
%Program Files%\WinZip\ZipShareService.dll
%Program Files%\WinZip\GoogleDriveService.dll
%Program Files%\WinZip\OneDriveService.dll
%Program Files%\WinZip\SugarSyncService.dll
%Program Files%\WinZip\WzWXFzshare32.dll
%Program Files%\WinZip\WzWXFssync32.dll
%Program Files%\WinZip\WebAuthBroker.exe
%Program Files%\WinZip\WebAuthBroker32.dll
%Program Files%\WinZip\WzWXFtt32.dll
%Program Files%\WinZip\WzExpForSPExtension.exe
%Program Files%\WinZip\CloudStorageService.DesktopExtension.dll
%Program Files%\WinZip\en-US\BoxService.resources.dll
%Program Files%\WinZip\en-US\DropboxService.resources.dll
%Program Files%\WinZip\en-US\GoogleDriveService.resources.dll
%Program Files%\WinZip\en-US\OneDriveService.resources.dll
%Program Files%\WinZip\MediaFireService.dll
%Program Files%\WinZip\en-US\MediaFireService.resources.dll
%Program Files%\WinZip\WzWXFmfire32.dll
%Program Files%\WinZip\IMClient.dll
%Program Files%\WinZip\IMService.dll
%Program Files%\WinZip\WzWXFgtalk32.dll
%Program Files%\WinZip\WzWXFlc32.dll
%Program Files%\WinZip\WzWXFll32.dll
%Program Files%\WinZip\WzWXFln32.dll
%Program Files%\WinZip\WzWXFxmpp32.dll
%Program Files%\WinZip\WzWXFyhm32.dll
%Program Files%\WinZip\LocalService.dll
%Program Files%\WinZip\en-US\IMClient.resources.dll
%Program Files%\WinZip\WzProdAdv.dll
%Program Files%\WinZip\WzWXFFTP32.dll
%Program Files%\WinZip\WzWXFlf32.dll
%Program Files%\WinZip\FTPService.dll
%Program Files%\WinZip\en-US\FTPService.resources.dll
%Program Files%\WinZip\WXFD2P.dll
%Program Files%\WinZip\en-US\WXFD2P.resources.dll
%Program Files%\WinZip\WXFWMRK.dll
%Program Files%\WinZip\en-US\WXFWMRK.resources.dll
%Program Files%\WinZip\WzZEC32.dll
%Program Files%\WinZip\WzWpfCldPicker32.dll
%Program Files%\WinZip\WzDlg32.dll
%Program Files%\WinZip\WzSensor32.dll
%Program Files%\WinZip\WinZipExpressForOffice.dll
%Program Files%\WinZip\en-US\WinZipExpressForOffice.resources.dll
%Program Files%\WinZip\WzPreloader.exe
%Program Files%\WinZip\WzPreloader.exe.config
%Program Files%\WinZip\FAH.exe
%Program Files%\WinZip\FAHConsole.exe
%Program Files%\WinZip\FAHDll32.dll
%Program Files%\WinZip\FAHWindow32.exe
%Program Files%\WinZip\AddinExpress.MSO.2005.dll
%Program Files%\WinZip\AddinExpress.OL.2005.dll
%Program Files%\WinZip\adxloader.dll
%Program Files%\WinZip\adxloader.dll.manifest
%Program Files%\WinZip\adxloader64.dll
%Program Files%\WinZip\adxregistrator.exe
%Program Files%\WinZip\Extensibility.dll
%Program Files%\WinZip\Microsoft.Office.Interop.Word.dll
%Program Files%\WinZip\Microsoft.Office.Interop.PowerPoint.dll
%Program Files%\WinZip\Microsoft.Office.Interop.Excel.dll
%Program Files%\WinZip\Microsoft.Vbe.Interop.dll
%Program Files%\WinZip\Office.dll
%Program Files%\WinZip\UnInstall32.exe
%Program Files%\WinZip\en-US\UnInstall32.exe.mui
%Program Files%\WinZip\WzWXFytb32.dll
%Program Files%\WinZip\WzWXFlh32.dll
%Program Files%\WinZip\WzPrvHand32.dll
%Program Files%\WinZip\WzWXFphrs32.dll
%Program Files%\WinZip\en-US\WzWXFphrs32.dll.mui
%Program Files%\WinZip\WzWXFog32.dll
%Program Files%\WinZip\WzWXFttim32.dll
%Program Files%\WinZip\msvcp140.dll
%Program Files%\WinZip\ToastNotifier.dll
%Program Files%\WinZip\vccorlib140.dll
%Program Files%\WinZip\vcruntime140.dll
%Program Files%\WinZip\WZUpdateNotifier.exe
%Program Files%\WinZip\en-US\WZUpdateNotifier.exe.mui
%Program Files%\WinZip\System.Data.SQLite.dll
%Program Files%\WinZip\SQLite.Interop.dll
%Program Files%\WinZip\en-US\FAH.exe.mui
%Program Files%\WinZip\ipp.dll
%Program Files%\WinZip\RecipientClient.dll
%Program Files%\WinZip\en-US\RecipientClient.resources.dll
%Program Files%\WinZip\WzComAddrBook32.dll
%Program Files%\WinZip\WzAddrgcts32.dll
%Program Files%\WinZip\WzAddrocts32.dll
%Program Files%\WinZip\WzAddrycts32.dll
%Program Files%\WinZip\RecipientService.dll
%Program Files%\WinZip\WzBGTfcdnld32.dll
%Program Files%\WinZip\WzBGTfcdocs32.dll
%Program Files%\WinZip\WzBGTfcpics32.dll
%Program Files%\WinZip\WzBGTrbin32.dll
%Program Files%\WinZip\WzBGTtemp32.dll
%Program Files%\WinZip\WzBGTools.exe
%Program Files%\WinZip\WzBGTools.exe.config
%Program Files%\WinZip\en-US\WzBGTool.resources.dll
%Program Files%\WinZip\WzBGTool.dll
%Program Files%\WinZip\WzBGTWin10Notification.dll
%Program Files%\WinZip\WzWXFlpd32.dll
%Program Files%\WinZip\Interop.PortableDeviceApiLib.dll
%Program Files%\WinZip\Interop.PortableDeviceTypesLib.dll
%Program Files%\WinZip\LocalPortableDeviceService.dll
%Program Files%\WinZip\en-US\LocalPortableDeviceService.resources.dll
%Program Files%\WinZip\WzBGTComServer32.exe

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Desktop% is the desktop folder, where it usually is C:\Documents and Settings\{user name}\Desktop in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\Desktop in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %ProgramData% is the Program Data folder, where it usually is C:\Program Files in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)

Other System Modifications

This Potentially Unwanted Application adds the following registry keys:

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\fm
shlExt = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
shlExt = 0

HKEY_CURRENT_USER\Software\Nico Mak Computing\
Common\Email\Share
WinZip = ""

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\directories
zDefDir = 0

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\directories
DefDir = %User Profile%\Documents

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\directories
gzExtractTo = 0

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\directories
ExtractTo = %User Profile%\Documents

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\directories
gzAddDir = 0

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\directories
AddDir = %User Profile%\Documents

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\directories
ZipTempRemovableOnly = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\directories
ZipTemp = %User Temp%

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\directories
CheckOutBase = ""

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\fm
shlExt = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\fm
.ZIP = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\fm
.LHA = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\fm
.LZH = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\fm
.TAR = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\fm
.TAZ = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\fm
.TGZ = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\fm
.TZ = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\fm
.GZ = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\fm
.Z = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\fm
.CAB = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\fm
.UU = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\fm
.UUE = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\fm
.XXE = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\fm
.B64 = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\fm
.HQX = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\fm
.BHX = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\fm
.MIM = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\fm
.BZ2 = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\fm
.BZ = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\fm
.TBZ = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\fm
.TBZ2 = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\fm
.RAR = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\fm
assoc = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\ListView
ListFormat1 = 0

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\ListView
FullRowSelect = 0

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\ListView
GridLines = 0

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\ListView
PathMode = 0

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\ListView
ThumbLoadDelay = 500

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\ListView
ThumbX = 94

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\ListView
ThumbY = 94

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\ListView
MaxThumbImgSize = -1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\ListView
Col_Name = 0,L,128,T

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\ListView
Col_Type = 1,L,93,T

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\ListView
Col_Date = 2,L,121,T

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\ListView
Col_Size = 3,R,60,T

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\ListView
Col_Ratio = 4,R,41,T

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\ListView
Col_Packed = 5,R,54,T

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\ListView
Col_CRC = 6,L,0,F

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\ListView
Col_Attrib = 7,L,0,F

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\ListView
Col_Path = 8,L,182,T

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\programs
viewer = %Windows%\NOTEPAD.EXE

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\programs
vviewer = ""

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\Splitter
VPosition = 169

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\Splitter
Enabled = 0

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\ToolBar
Button2 = new,open,favor,add,extra,encrypt,view,check,wiz,mode

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\UpdateCheck
NoUpdateChecking = 0

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\UpdateCheck
Period = 7

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\UpdateCheck
CurrentPeriod = 7

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\UpdateCheck
AskFirst = 0

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\UpdateCheck
AutoMode = 0

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\UpdateCheck
EditFlags = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\WinIni
win32_version = 6.3-11.2

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\WinIni
UZQF = L115

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\winzip
IBS = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\winzip
Setup = 0

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\winzip
Wizard = 0

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\winzip
VersionDate = 3/25/2014

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\winzip
newinstance = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\winzip
AOFF = 0

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\winzip
LastTip = 10000

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\winzip
ShowTips = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\winzip
AltDrag = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\winzip
Adjustable = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\winzip
AlwaysOnTop = 0

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\winzip
ReuseWindows = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\winzip
StoreExtendedTimestamps = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\winzip
StoreUnicodeFilenames = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\winzip
SpanDefault = 0

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\winzip
DialogSplitFactor = 2

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\winzip
ExtractSkipOlder = 0

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\winzip
CheckOutIconOnly = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\winzip
Display = 800,600

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\winzip
Main = 0,25,25,695,351

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\wzshlext
MenuCfgTable = 22222222222220002222

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\wzshlext
DropDialogWinzip = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\wzshlext
DropDialogExplorer = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\wzshlext
MenuBitmaps = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\wzshlext
ShellExtensionSubMenu = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\wzshlext
AddToFolder = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\wzshlext
CabCheckFixed = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\wzshlext
CabCheckRemovable = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\wzshlext
CabCheckOther = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\wzshlext
CommentCheckFixed = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\wzshlext
CommentCheckRemovable = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\wzshlext
CommentCheckOther = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
.ZIP = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
.LHA = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
.LZH = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
.TAR = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
.TAZ = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
.TGZ = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
.TZ = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
.GZ = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
.Z = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
.CAB = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
.UU = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
.UUE = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
.XXE = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
.B64 = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
.HQX = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
.BHX = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
.MIM = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
.BZ2 = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
.BZ = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
.TBZ = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
.TBZ2 = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
.RAR = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
assoc = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
shlExt = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\programs
zip2exe_init = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\programs
viewer = %Windows%\NOTEPAD.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\programs
zip2exe = %Program Files%\WinZip\WZSEPE32.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\UpdateCheck
NoUpdateChecking = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\UpdateCheck
Period = 7

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\UpdateCheck
CurrentPeriod = 7

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\UpdateCheck
AskFirst = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\UpdateCheck
AutoMode = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\UpdateCheck
EditFlags = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\WinIni
Setup = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\WinIni
win32_version = 6.3-11.2

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\winzip
IBS = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\winzip
Setup = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\winzip
Wizard = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\winzip
VersionDate = 3/25/2014

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\winzip
newinstance = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\wzshlext
DropDialogWinzip = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\wzshlext
DropDialogExplorer = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\wzshlext
MenuBitmaps = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\wzshlext
ShellExtensionSubMenu = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\wzshlext
AddToFolder = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\wzshlext
CabCheckFixed = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\wzshlext
CabCheckRemovable = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\wzshlext
CabCheckOther = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\wzshlext
CommentCheckFixed = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\wzshlext
CommentCheckRemovable = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\wzshlext
CommentCheckOther = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\wzshlext
MenuCfgTable = 22222222222220002222

HKEY_CURRENT_USER\Software\Nico Mak Computing\
Common\Update Notifier\UpdtMgr000
ProductState = ""

HKEY_CURRENT_USER\Software\Nico Mak Computing\
Common\Update Notifier\UpdtMgr000
ProductExpiration = ""

HKEY_CURRENT_USER\Software\Nico Mak Computing\
File Association Helper
Enabled = 1

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\Tools\WzBGTfcpics
ToolEnabled = 0

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\Tools\WzBGTtemp
ToolEnabled = 0

HKEY_CURRENT_USER\Software\Nico Mak Computing\
Common\Update Notifier\Share
WinZip = ""

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\Tools\WzBGTfcdnld
ToolEnabled = 0

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\Tools\WzBGTfcdocs
ToolEnabled = 0

HKEY_CURRENT_USER\Software\Nico Mak Computing\
WinZip\Tools\WzBGTrbin
ToolEnabled = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\Langs
1033 = en-US

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\Langs
InstalledUILangID = 1033

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip Express\Office\Langs
1033 = en-US

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip Express\Office\Langs
InstalledUILangID = 1033

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
.ISO = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
.ZIPX = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
.IMG = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\fm
.7Z = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\winzip
RunPreLoader = 20

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\winzip
ExtractSkipOlder = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\winzip
DefaultCompressionMethod = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\winzip
ProductCode = {CD95F661-A5C4-44F5-A6AA-ECDD91C24104}

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\winzip
ReuseWindows = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\winzip
ExeBits = 32

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\winzip
Adjustable = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\winzip
CheckOutIconOnly = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\winzip
SpanDefault = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\winzip
AltDrag = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\winzip
Version = 20.5.12118

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\winzip
DialogSplitFactor = 2

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\winzip
AlwaysOnTop = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\winzip
AnimatedBusy = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\WXF\WzWXFzshare\
Default
MaxUploadSizeMB = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\WXF\WzWXFzshare\
Default
WritableRootFolder = \

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\wzshlext
MenuCfgTable = 22222222222222222222

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\WXF\WzWXFbox\
Default
MaxUploadSizeMB = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\WXF\WzWXFbox\
Default
WritableRootFolder = \

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\caution
ErrDelEncrytCaution = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\UpdateCheck
AutoMode = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\UpdateCheck
AskFirst = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip
x-at = lan2

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
File Association Helper
Enabled = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\WXF\WzWXFdbox\
Default
WritableRootFolder = \

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\WXF\WzWXFdbox\
Default
MaxUploadSizeMB = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\WXF\WzWXFcldme\
Default
MaxUploadSizeMB = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\WXF\WzWXFcldme\
Default
WritableRootFolder = \

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\ListView
ListFormat1 = 4

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\ListView
PathMode = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\ListView
GridLines = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\ListView
FullRowSelect = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\programs
vviewer = %Windows%\NOTEPAD.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\WXF\WzWXFgdrv\
Default
WritableRootFolder = \

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\WXF\WzWXFgdrv\
Default
MaxUploadSizeMB = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\WXF
DefaultMaxParallel = 2

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\WXF\WzWXFssync\
Default
MaxUploadSizeMB = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\WXF\WzWXFssync\
Default
WritableRootFolder = \

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\Statistics
Collect = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\WinIni
win32_version = 6.3-20.5

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\WXF\WzWXFoned\
Default
WritableRootFolder = \

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\WXF\WzWXFoned\
Default
MaxUploadSizeMB = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\Policies
DisableFAH = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\WXF\WzWXFmfire\
Default
WritableRootFolder = \

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\WXF\WzWXFmfire\
Default
MaxUploadSizeMB = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\Statistics
UsageCollectLock = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\
WinZip\Splitter
Enabled = 1

Other Details

This Potentially Unwanted Application connects to the following possibly malicious URL:

http://{BLOCKED}.{BLOCKED}data.com/?v={value}&subver={value}&pcrc={value}
http://{BLOCKED}.{BLOCKED}data.com/?v={value}&c={value}&at={value}&cntr=0
http://{BLOCKED}.{BLOCKED}data.com/WinZip/?v={value}&c={value}&t={value}
http://{BLOCKED}ad.{BLOCKED}.com/lan1/20/winzip_en_32.msi

PUA_INSTALLCORE.GY

OVERVIEW

TECHNICAL DETAILS

Resources

Support

About Trend

Country Headquarters

PUA_INSTALLCORE.GY

OVERVIEW

TECHNICAL DETAILS

Resources

Support

About Trend

Country Headquarters

The Americas

Middle East & Africa

Europe

Asia & Pacific