URL: | http://stackpathdownload.wildgames.com/WildTangentHelperUpdate/WildTangentHelper-1.0.0.437.exe |
Full analysis: | https://app.any.run/tasks/dedc4ddf-5709-4aff-8e0a-c9410bbbae04 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | March 30, 2021, 16:26:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 76E3B343BEBE479C7EA10483CCDF7DB8 |
SHA1: | D059C8AF9ECA5672E39457542F23756EE53D38DA |
SHA256: | 4DB77FC13840323EC44F729600AF436CFCF5800569E2AF9E936A50CCDCCB009F |
SSDEEP: | 3:N1KNR3rB5yRnBxELX0vQRfCLX0EdVt:CH3knsTRO/dVt |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2528 | "C:\Program Files\Internet Explorer\iexplore.exe" http://stackpathdownload.wildgames.com/WildTangentHelperUpdate/WildTangentHelper-1.0.0.437.exe | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2504 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2528 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2364 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\WildTangentHelper-1.0.0.437.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\WildTangentHelper-1.0.0.437.exe | — | iexplore.exe | |||||||||||
User: admin Company: gamigo, Inc. Integrity Level: MEDIUM Description: WildTangentHelper Exit code: 3221226540 Version: 1.0.0.437 Modules
| |||||||||||||||
556 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\WildTangentHelper-1.0.0.437.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\WildTangentHelper-1.0.0.437.exe | iexplore.exe | ||||||||||||
User: admin Company: gamigo, Inc. Integrity Level: HIGH Description: WildTangentHelper Exit code: 0 Version: 1.0.0.437 Modules
| |||||||||||||||
3864 | "C:\Users\admin\AppData\Local\Temp\nsfB140.tmp\nsB151.tmp" "C:\Program Files\WildTangent Games\Integration\WildTangentHelperService.exe" /LockService | C:\Users\admin\AppData\Local\Temp\nsfB140.tmp\nsB151.tmp | — | WildTangentHelper-1.0.0.437.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 3221225501 Modules
| |||||||||||||||
1892 | "C:\Users\admin\AppData\Local\Temp\nsfB140.tmp\nsB2AA.tmp" net stop wildtangenthelper | C:\Users\admin\AppData\Local\Temp\nsfB140.tmp\nsB2AA.tmp | — | WildTangentHelper-1.0.0.437.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 2 Modules
| |||||||||||||||
3304 | net stop wildtangenthelper | C:\Windows\system32\net.exe | — | nsB2AA.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3796 | C:\Windows\system32\net1 stop wildtangenthelper | C:\Windows\system32\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 2 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2556 | "C:\Users\admin\AppData\Local\Temp\nsfB140.tmp\nsB402.tmp" taskkill /fi "IMAGENAME eq WildTangentHelperService.exe" /t /f | C:\Users\admin\AppData\Local\Temp\nsfB140.tmp\nsB402.tmp | — | WildTangentHelper-1.0.0.437.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
1536 | taskkill /fi "IMAGENAME eq WildTangentHelperService.exe" /t /f | C:\Windows\system32\taskkill.exe | — | nsB402.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (2528) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: 2290302128 | |||
(PID) Process: | (2528) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30877057 | |||
(PID) Process: | (2528) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (2528) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (2528) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (2528) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
(PID) Process: | (2528) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (2528) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 46000000A5000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
(PID) Process: | (2528) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2528) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2504 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\WildTangentHelper-1.0.0.437[1].exe | — | |
MD5:— | SHA256:— | |||
2504 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\WildTangentHelper-1.0.0.437.exe.lnumaz7.partial | — | |
MD5:— | SHA256:— | |||
2528 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF8DD285A64AF8EB0F.TMP | — | |
MD5:— | SHA256:— | |||
2528 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\WildTangentHelper-1.0.0.437.exe.lnumaz7.partial:Zone.Identifier | — | |
MD5:— | SHA256:— | |||
556 | WildTangentHelper-1.0.0.437.exe | C:\Program Files\WildTangent Games\Integration\uninstaller.new | executable | |
MD5:08304FE47722E2E0979109D30D7274DF | SHA256:8930A1CE709BA7B100BE6E649B64DDAC67E1800FFF9D37641200FD2796EECA64 | |||
556 | WildTangentHelper-1.0.0.437.exe | C:\Program Files\WildTangent Games\Integration\ShellHlp.new | executable | |
MD5:354CC7454CB56736F77F43AC1D2C6906 | SHA256:074A218D606416869D69FDE570F08B010E0316D0C5F3B285D21C1F51CE33BA75 | |||
556 | WildTangentHelper-1.0.0.437.exe | C:\Program Files\WildTangent Games\Integration\GameLauncherx64.new | executable | |
MD5:DF27ECFBE5E034E5A323CDC12264FC66 | SHA256:AE52D75E3E8CF9F444B4F08B5B447167AC8B05F4393F65D6A851B0187EDB917D | |||
556 | WildTangentHelper-1.0.0.437.exe | C:\Program Files\WildTangent Games\Integration\WildTangentHelperService.new | executable | |
MD5:C58D0CF705BA20AE656AF5FB94EF89AA | SHA256:62C41D440EEB433CAB5EC105B939D3C6BBB3CD81A343057FAC053734F96DCE01 | |||
556 | WildTangentHelper-1.0.0.437.exe | C:\Program Files\WildTangent Games\Integration\GameLauncherDllx64.new | executable | |
MD5:1516A7DD670C30F386826022B8E7527C | SHA256:DA2FBC0BC3DE0B7DFA5F40D05AF4F372580248D42B822DA0740CDA39943D45B5 | |||
556 | WildTangentHelper-1.0.0.437.exe | C:\Users\admin\AppData\Local\Temp\nsfB140.tmp\nsB402.tmp | executable | |
MD5:279BAA18BA64F9C8A8FFB91CD4C53469 | SHA256:9DAE470D35319ED412EE4B4F636AFCA5C3F4F5012D9D9F88255E8A24CA803C46 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3440 | WildTangentHelperService.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D | US | der | 727 b | whitelisted |
2504 | iexplore.exe | GET | 200 | 151.139.241.10:80 | http://stackpathdownload.wildgames.com/WildTangentHelperUpdate/WildTangentHelper-1.0.0.437.exe | US | executable | 3.13 Mb | suspicious |
2528 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
3440 | WildTangentHelperService.exe | GET | 200 | 13.32.23.96:80 | http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D | US | der | 1.70 Kb | whitelisted |
2528 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
3440 | WildTangentHelperService.exe | GET | 200 | 13.32.23.204:80 | http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D | US | der | 1.51 Kb | whitelisted |
2528 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
3440 | WildTangentHelperService.exe | GET | 200 | 13.32.23.89:80 | http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D | US | der | 1.39 Kb | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2528 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3440 | WildTangentHelperService.exe | 205.185.216.10:80 | www.download.windowsupdate.com | Highwinds Network Group, Inc. | US | whitelisted |
2504 | iexplore.exe | 151.139.241.10:80 | stackpathdownload.wildgames.com | netDNA | US | suspicious |
3440 | WildTangentHelperService.exe | 13.32.23.204:80 | ocsp.rootg2.amazontrust.com | Amazon.com, Inc. | US | whitelisted |
3440 | WildTangentHelperService.exe | 151.139.128.14:80 | ocsp.usertrust.com | Highwinds Network Group, Inc. | US | suspicious |
2528 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3440 | WildTangentHelperService.exe | 151.139.241.4:443 | onlinecheck.wildtangent.com | netDNA | US | unknown |
3440 | WildTangentHelperService.exe | 143.204.202.10:443 | clientservices.wildtangent.com | — | US | suspicious |
3440 | WildTangentHelperService.exe | 13.32.23.89:80 | ocsp.rootg2.amazontrust.com | Amazon.com, Inc. | US | whitelisted |
3440 | WildTangentHelperService.exe | 13.32.23.96:80 | o.ss2.us | Amazon.com, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
stackpathdownload.wildgames.com |
| suspicious |
onlinecheck.wildtangent.com |
| suspicious |
www.download.windowsupdate.com |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
ocsp.sectigo.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
clientservices.wildtangent.com |
| whitelisted |
o.ss2.us |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
— | — | Misc activity | ET INFO EXE - Served Attached HTTP |
Process | Message |
---|---|
WildTangentHelper-1.0.0.437.exe | WTHelperInstallUninstall :: ---------------------------Start Install--------------------------- |
WildTangentHelper-1.0.0.437.exe | WTHelperInstallUninstall :: Delete obsolete files |
WildTangentHelper-1.0.0.437.exe | WTHelperInstallUninstall :: Delete any .bak files |
WildTangentHelper-1.0.0.437.exe | WTHelperInstallUninstall :: Delete any .new files |
WildTangentHelper-1.0.0.437.exe | WTHelperInstallUninstall :: Place all .new files |
WildTangentHelper-1.0.0.437.exe | WTHelperInstallUninstall :: Stopping WTHelper |
WildTangentHelper-1.0.0.437.exe | WTHelperInstallUninstall :: StopWTHelperWait : Begin |
WildTangentHelper-1.0.0.437.exe | WTHelperInstallUninstall :: StopWTHelperWait : End |
WildTangentHelper-1.0.0.437.exe | WTHelperInstallUninstall :: RetryRenameFiles() : Returning true - complete w/o errors |
WildTangentHelper-1.0.0.437.exe | WTHelperInstallUninstall :: File operations completed successfully |