wikitime.exe

The Foundation

The application wikitime.exe by The Foundation has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘WikiTime’. This file is typically installed with the program WikiTime - Desktop Wikipedia for Desktop by WikiTime.
Publisher:
The Foundation  (signed and verified)

MD5:
c5d724e91570585a2677ab3f1907aecf

SHA-1:
573460fd4ad5144902983624a71094c5c77b9ff9

SHA-256:
4ee23625707ee2853473dd929a792c49490ed2813daa70440bae5d8ff4c57e0d

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/25/2024 12:25:56 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.TrailerTime.TheFoundation (M)
16.2.21.23

File size:
45.8 MB (48,035,112 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\wikitime\wikitime.exe

Digital Signature
Signed by:

Authority:
The Foundation

Valid from:
6/15/2015 7:24:30 AM

Valid to:
6/12/2025 7:24:30 AM

Subject:
CN=The Foundation, O=The Foundation, S=Some-State, C=US

Issuer:
CN=The Foundation, O=The Foundation, S=Some-State, C=US

Serial number:
00BFDA29BD9F457AD4

File PE Metadata
Compilation timestamp:
3/5/2015 2:21:42 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
786432:ZLJmRGIXff9keaayimwJZHM3SD3K4mNCesWePrumsEUF0pfsUUv:ZtmRGIXff923imwJZMCDVVesWewFHUK

Entry address:
0x1C996D1

Entry point:
E8, 9A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, 38, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, 38, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, 38, EC, 02, 02, 74, 21, 6A, 17, E8, A9, 21, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
6.8778

Code size:
34.9 MB (36,634,112 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
WikiTime

Command:
C:\users\{user}\appdata\roaming\wikitime\wikitime.exe su


The file wikitime.exe has been discovered within the following program.

About 1% of users remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to a23-211-100-104.deploy.static.akamaitechnologies.com  (23.211.100.104:80)

TCP (HTTP):

TCP (HTTP):
Connects to 88.255.178.107.bc.googleusercontent.com  (107.178.255.88:80)

TCP (HTTP SSL):
Connects to a23-211-103-180.deploy.static.akamaitechnologies.com  (23.211.103.180:443)

TCP (HTTP):

TCP (HTTP):
Connects to a104-88-92-139.deploy.static.akamaitechnologies.com  (104.88.92.139:80)

TCP (HTTP):
Connects to 107.154.102.40.ip.incapdns.net  (107.154.102.40:80)

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.bf1.yahoo.com  (63.250.200.63:443)

TCP (HTTP):
Connects to ec2-52-21-176-214.compute-1.amazonaws.com  (52.21.176.214:80)

TCP (HTTP):
Connects to ec2-52-203-65-246.compute-1.amazonaws.com  (52.203.65.246:80)

TCP (HTTP):

TCP (HTTP):
Connects to a23-206-169-254.deploy.static.akamaitechnologies.com  (23.206.169.254:80)

TCP (HTTP SSL):
Connects to a23-203-32-187.deploy.static.akamaitechnologies.com  (23.203.32.187:443)

TCP (HTTP):
Connects to a23-203-29-148.deploy.static.akamaitechnologies.com  (23.203.29.148:80)

TCP (HTTP):
Connects to a23-195-254-99.deploy.static.akamaitechnologies.com  (23.195.254.99:80)

TCP (HTTP):

TCP (HTTP):
Connects to 85.243.178.107.bc.googleusercontent.com  (107.178.243.85:80)

TCP (HTTP):
Connects to 208.185.50.80.IPYX-063360-004-ZYO.zip.zayo.com  (208.185.50.80:80)

TCP (HTTP SSL):
Connects to 128.177.43.43.IPYX-074089-980-ZYO.zip.zayo.com  (128.177.43.43:443)

TCP (HTTP):
Connects to server-52-84-26-57.ewr50.r.cloudfront.net  (52.84.26.57:80)

Remove wikitime.exe - Powered by Reason Core Security