» wizz.exe
Overview
Analysis
File Details
Behaviors (1)

wizz.exe

Karim Lammali

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The executable wizz.exe has been detected as malware by 33 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘cf9162e7f0b57c9aae661e4973d96ab4’.

File name:

wizz.exe

Publisher:

Microsoft Corporation (signed by Karim Lammali)

Product:

Microsoft Corporation

Version:

2.1.4.0

MD5:

d6f55fc1c1c0f58d26405f0ec49dba73

SHA-1:

9fb303025075a6306db69df59648e740d2ea6694

SHA-256:

6b9d19567238c882d02ed9d0b518e8af2c0bf7709bcd7e8d13fe6072a0f16611

Scanner detections:

33 / 68

Status:

Malware

Analysis date:

4/19/2024 8:39:32 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Generic.9034783

362

AegisLab AV Signature

Troj.MSIL.Agent.avfg!c

2.1.4+

Agnitum Outpost

Trojan.Agent

7.1.1

Avira AntiVirus

TR/MSIL.Agent.avfg

8.3.2.4

Arcabit

Trojan.Generic.D89DC1F

1.0.0.653

avast!

MSIL:Agent-DDY [Trj]

2014.9-160207

AVG

Generic33

2017.0.2840

Baidu Antivirus

Trojan.MSIL.MultiPacked

4.0.3.1627

Bitdefender

Trojan.Generic.9034783

1.0.20.190

Comodo Security

UnclassifiedMalware

24091

Dr.Web

Trojan.DownLoader9.38280

9.0.1.038

Emsisoft Anti-Malware

Trojan.Generic.9034783

8.16.02.07.10

ESET NOD32

MSIL/Packed.MultiPacked.AJ (variant)

10.12977

Fortinet FortiGate

W32/Agent.AVFG!tr

2/7/2016

F-Secure

Trojan.Generic.9034783

11.2016-07-02_1

G Data

Trojan.Generic.9034783

16.2.25

IKARUS anti.virus

Backdoor.MSIL

t3scan.2.0.5.0

K7 AntiVirus

Trojan

13.213.18643

Kaspersky

Trojan.MSIL.Agent

14.0.0.695

Malwarebytes

Trojan.FakeMS.ED

v2016.02.07.10

McAfee

Generic.dx!D6F55FC1C1C0

5600.6496

Microsoft Security Essentials

Worm:MSIL/Bladabindi.B

1.1.12400.0

MicroWorld eScan

Trojan.Generic.9034783

17.0.0.114

NANO AntiVirus

Trojan.Win32.Agent.dtricz

1.0.14.5798

nProtect

Trojan-Dropper/W32.FrauDrop.491440

16.02.04.01

Panda Antivirus

Generic Malware

16.02.07.10

Qihoo 360 Security

HEUR/QVM03.0.Malware.Gen

1.0.0.1120

Sophos

Mal/Generic-S

4.98

Trend Micro House Call

TROJ_SPNR.06FD13

7.2.38

Trend Micro

TROJ_SPNR.06FD13

10.465.07

Vba32 AntiVirus

Trojan.MSIL.Agent

3.12.26.4

VIPRE Antivirus

Trojan.Win32.Generic

46970

Zillya! Antivirus

Trojan.Agent.Win32.371283

2.0.0.2647

File size:

479.9 KB (491,440 bytes)

Product version:

5.3.2.5

Microsoft Corporation

Original file name:

C:\Documents and Settings\Administrateur\Bureau\CryptoObfuscator_Output\Servear.exe

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\temp\wizz.exe

Digital Signature

Signed by:

Karim Lammali

Authority:

DigiCert Inc

Valid from:

3/18/2013 2:00:00 AM

Valid to:

5/21/2014 3:00:00 PM

Subject:

CN=Karim Lammali, O=Karim Lammali, L=Besançon, C=FR

Issuer:

CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:

06477E3425F1448995CED539789E6842

File PE Metadata

Compilation timestamp:

4/18/2013 8:10:09 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

6144:QT0b0eNOjcx4W+rsdVtlPt4fDOLjRaBJJvGl3dl:WetxdJvPPt4fi1qJJOl3

Entry address:

0x3A79A

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, A0, 03, 00, 0C, 00, 00, 00, 9C, 37, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

226 KB (231,424 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

cf9162e7f0b57c9aae661e4973d96ab4

Command:

"C:\users\{user}\appdata\local\temp\wizz.exe"..

Remove wizz.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.