wikiz.exe

WikiZ

The executable wikiz.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘WikiZ’. This file is typically installed with the program WikiZ - WikiZ for Desktop by WikiZ. While running, it connects to the Internet address hotelamur.ru on port 80 using the HTTP protocol.
Publisher:
WikiZ  (signed and verified)

MD5:
4c99dc12f0a555f791ed1009745f9e77

SHA-1:
248f51cedc34801907d02b7d69acc5df60949538

SHA-256:
ed6e10e26ee919af203f78e7bd5a417851fd53be082d8315b2f3174b43b943f8

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/5/2024 9:47:55 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
16.8.2.14

File size:
45.6 MB (47,823,368 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\wikiz\wikiz.exe

Digital Signature
Signed by:

Authority:
WikiZ

Valid from:
2/5/2016 2:21:32 PM

Valid to:
2/2/2026 2:21:32 PM

Subject:
CN=WikiZ, OU=WikiZ, O=WikiZ, S=Some-State, C=US

Issuer:
CN=WikiZ, OU=WikiZ, O=WikiZ, S=Some-State, C=US

Serial number:
00C37A23FBC3D8AB24

File PE Metadata
Compilation timestamp:
2/20/2016 8:43:51 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
786432:suK9C64r1c7VQZgnUrurLpbH05yL5dsuUQq6+4UYOkdOXQfQZ4:xwC64r1c6ZgnUSrLpbUAdBUQq6/BL7E4

Entry address:
0x1C9A031

Entry point:
E8, 5A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, A8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, A8, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, A8, EC, 02, 02, 74, 21, 6A, 17, E8, D9, 20, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
6.8771

Code size:
34.9 MB (36,634,112 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
WikiZ

Command:
C:\users\{user}\appdata\roaming\wikiz\wikiz.exe su


The file wikiz.exe has been discovered within the following programs.

About 8% of users remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to text-lb.esams.wikimedia.org  (91.198.174.192:443)

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.ir2.yahoo.com  (217.12.15.96:443)

TCP (HTTP SSL):
Connects to e1.ycpi.vip.lob.yahoo.com  (87.248.114.11:443)

TCP (HTTP SSL):
Connects to instagram-p3-shv-01-lht6.fbcdn.net  (157.240.1.52:443)

TCP (HTTP SSL):
Connects to e2.ycpi.vip.lob.yahoo.com  (87.248.114.12:443)

TCP (HTTP SSL):
Connects to e2.ycpi.vip.deb.yahoo.com  (87.248.118.23:443)

TCP (HTTP):
Connects to hotelamur.ru  (62.109.15.15:80)

TCP (HTTP SSL):
Connects to edge-star-shv-01-frt3.facebook.com  (31.13.92.10:443)

TCP (HTTP):
Connects to 88.255.178.107.bc.googleusercontent.com  (107.178.255.88:80)

TCP (HTTP):
Connects to server-52-85-63-9.lhr50.r.cloudfront.net  (52.85.63.9:80)

TCP (HTTP):
Connects to a92-123-180-72.deploy.akamaitechnologies.com  (92.123.180.72:80)

TCP (HTTP):
Connects to a184-51-148-177.deploy.static.akamaitechnologies.com  (184.51.148.177:80)

TCP (HTTP):
Connects to a184-51-148-160.deploy.static.akamaitechnologies.com  (184.51.148.160:80)

TCP (HTTP):
Connects to 130.247.178.107.bc.googleusercontent.com  (107.178.247.130:80)

TCP (HTTP SSL):
Connects to server-52-85-63-158.lhr50.r.cloudfront.net  (52.85.63.158:443)

TCP (HTTP):
Connects to server-52-85-63-154.lhr50.r.cloudfront.net  (52.85.63.154:80)

TCP (HTTP):
Connects to server-52-85-63-135.lhr50.r.cloudfront.net  (52.85.63.135:80)

TCP (HTTP):
Connects to s3-1.amazonaws.com  (54.231.40.114:80)

TCP (HTTP):
Connects to ec2-54-235-244-28.compute-1.amazonaws.com  (54.235.244.28:80)

TCP (HTTP):
Connects to ec2-54-225-175-205.compute-1.amazonaws.com  (54.225.175.205:80)

Remove wikiz.exe - Powered by Reason Core Security