.. /Zipfldr.dll
Star

Compressed Folder library

Paths:

c:\windows\system32\zipfldr.dll
c:\windows\syswow64\zipfldr.dll

Resources:

Acknowledgements:

Moriarty (Execution) (@moriarty_meng)
r0lan (Obfuscation) (@r0lan)

Detection:

Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml

Execute

Launch an executable payload by calling RouteTheCall.
```
rundll32.exe zipfldr.dll,RouteTheCall calc.exe
```
Use case
Launch an executable.

Privileges required
User

Operating systems
Windows 10, Windows 11

ATT&CK® technique
T1218.011
Launch an executable payload by calling RouteTheCall (obfuscated).
```
rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
```
Use case
Launch an executable.

Privileges required
User

Operating systems
Windows 10, Windows 11

ATT&CK® technique
T1218.011