home

wikiz.exe

WikiZ

The executable wikiz.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘WikiZ’. While running, it connects to the Internet address upload-lb.ulsfo.wikimedia.org on port 443.
Publisher:
WikiZ  (signed and verified)

MD5:
463369991e4f840b2692f87514fdcd4a

SHA-1:
692258118f422dc3e0a59e5585217e3ef906fdac

SHA-256:
3a78cbf95eeafc9aea71866ba988cfa96a80762f970be958624c8f2cd710f922

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
1/13/2025 6:49:07 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
16.12.2.13

File size:
45.6 MB (47,826,904 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\wikiz\wikiz.exe

Digital Signature
Signed by:
WikiZ

Authority:
WikiZ

Valid from:
2/6/2016 4:21:32 AM

Valid to:
2/3/2026 4:21:32 AM

Subject:
CN=WikiZ, OU=WikiZ, O=WikiZ, S=Some-State, C=US

Issuer:
CN=WikiZ, OU=WikiZ, O=WikiZ, S=Some-State, C=US

Serial number:
00C37A23FBC3D8AB24

File PE Metadata
Compilation timestamp:
2/20/2016 10:43:51 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
786432:vuK9C64r1c7VQZgnUrurLpbH05yL5dsuUQq6+4UYOkdOXQf/t5:mwC64r1c6ZgnUSrLpbUAdBUQq6/BL715

Entry address:
0x1C9A031

Entry point:
E8, 5A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, A8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, A8, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, A8, EC, 02, 02, 74, 21, 6A, 17, E8, D9, 20, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
6.8775

Code size:
34.9 MB (36,634,112 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
WikiZ

Command:
C:\users\{user}\appdata\roaming\wikiz\wikiz.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to upload-lb.ulsfo.wikimedia.org  (198.35.26.112:443)

TCP (HTTP SSL):
Connects to text-lb.ulsfo.wikimedia.org  (198.35.26.96:443)

TCP (HTTP SSL):
Connects to web1.ifbyphone.com  (64.74.105.60:443)

TCP (HTTP SSL):
Connects to urs-ext-vip1.phx2.cbsig.net  (216.239.120.224:443)

TCP (HTTP SSL):
Connects to unknown.telstraglobal.net  (210.176.156.25:443)

TCP (HTTP SSL):
Connects to text-lb.esams.wikimedia.org  (91.198.174.192:443)

TCP (HTTP SSL):
Connects to s-prd-umpxl-adcom-scd-blue-b.evip.aol.com  (149.174.66.131:443)

TCP (HTTP SSL):
Connects to s-prd-umpxl-adcom-scd-a.evip.aol.com  (152.163.13.4:443)

TCP (HTTP SSL):
Connects to phx2-dw-cbsi-xw-lb.cnet.com  (216.239.120.246:443)

TCP (HTTP SSL):
Connects to ox-173-241-248-143.xf.dc.openx.org  (173.241.248.143:443)

TCP (HTTP SSL):
Connects to mx-ll-110.164.11-18.static.3bb.co.th  (110.164.11.18:443)

TCP (HTTP SSL):
Connects to kul01s10-in-f38.1e100.net  (216.58.221.38:443)

TCP (HTTP SSL):
Connects to kul01s10-in-f2.1e100.net  (216.58.221.34:443)

TCP (HTTP):
Connects to ec2-54-174-33-196.compute-1.amazonaws.com  (54.174.33.196:80)

TCP (HTTP):
Connects to ec2-52-58-57-251.eu-central-1.compute.amazonaws.com  (52.58.57.251:80)

TCP (HTTP SSL):
Connects to cbsi.com.ssl.d2.sc.omtrdc.net  (63.140.49.129:443)

TCP (HTTP SSL):
Connects to a96-17-249-170.deploy.akamaitechnologies.com  (96.17.249.170:443)

TCP (HTTP SSL):
Connects to a96-17-243-165.deploy.akamaitechnologies.com  (96.17.243.165:443)

TCP (HTTP SSL):
Connects to a23-61-96-205.deploy.static.akamaitechnologies.com  (23.61.96.205:443)

TCP (HTTP SSL):
Connects to a23-61-103-126.deploy.static.akamaitechnologies.com  (23.61.103.126:443)

Remove wikiz.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.