File name:

5.4.8 Warmane Exes.rar

Full analysis: https://app.any.run/tasks/66d27cab-2fa1-46f2-977e-d5c8b703a58c
Verdict: Malicious activity
Analysis date: October 31, 2020, 12:27:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

F6FF1C41570BA467AFE95F1B0D39AAE8

SHA1:

75947DB2C84A2AB07A016B40A4C636B078D408DB

SHA256:

227804719DE5E0E87573A41F5FA2CA64C7A8DE91B81D90C3BAF94DF237188C67

SSDEEP:

196608:1QHi6lQUiZaNXhpVavYXRG/7YQsKK1QXTZxz1uENr3QUT8Be:2yULX3VwYXR8YPxONxBuEVQUT9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Wow_Patched.exe (PID: 2116)
      • Wow_Patched.exe (PID: 2896)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • Wow_Patched.exe (PID: 2896)
      • Wow_Patched.exe (PID: 2116)

  • INFO

    • Manual execution by user

      • Wow_Patched.exe (PID: 2116)
      • Wow_Patched.exe (PID: 2896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 4475646
UncompressedSize: 13154864
OperatingSystem: Win32
ModifyDate: 2015:09:01 19:31:09
PackingMethod: Best Compression
ArchivedFileName: Wow_Patched.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wow_patched.exe wow_patched.exe

Process information

PID
CMD
Path
Indicators
Parent process
2116"C:\Users\admin\Desktop\Wow_Patched.exe" C:\Users\admin\Desktop\Wow_Patched.exe
explorer.exe
User:
admin
Company:
Blizzard Entertainment
Integrity Level:
MEDIUM
Description:
World of Warcraft Retail
Exit code:
0
Version:
5, 4, 8, 18414
Modules
Images
c:\users\admin\desktop\wow_patched.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2828"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\5.4.8 Warmane Exes.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2896"C:\Users\admin\Desktop\Wow_Patched.exe" C:\Users\admin\Desktop\Wow_Patched.exe
explorer.exe
User:
admin
Company:
Blizzard Entertainment
Integrity Level:
MEDIUM
Description:
World of Warcraft Retail
Exit code:
0
Version:
5, 4, 8, 18414
Modules
Images
c:\users\admin\desktop\wow_patched.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
494
Read events
455
Write events
39
Delete events
0

Modification events

(PID) Process:(2828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2828) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\5.4.8 Warmane Exes.rar
(PID) Process:(2828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(2828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\AppData\Local\Temp
Executable files
0
Suspicious files
0
Text files
4
Unknown types
5

Dropped files

PID
Process
Filename
Type
2828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2828.10672\Wow_Patched.exe
MD5:
SHA256:
2828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2828.10672\Wow-64_Patched.exe
MD5:
SHA256:
2896Wow_Patched.exeC:\Users\admin\Desktop\Data\enUS\locale-enUS.MPQ.temp
MD5:
SHA256:
2896Wow_Patched.exeC:\Users\admin\Desktop\Data\enUS\locale-enUS.MPQ
MD5:
SHA256:
2896Wow_Patched.exeC:\Users\admin\Desktop\Data\enUS\speech-enUS.MPQ.temp
MD5:
SHA256:
2896Wow_Patched.exeC:\Users\admin\Desktop\Data\enUS\speech-enUS.MPQ
MD5:
SHA256:
2896Wow_Patched.exeC:\Users\admin\Desktop\Data\misc.MPQ.temp
MD5:
SHA256:
2896Wow_Patched.exeC:\Users\admin\Desktop\Data\misc.MPQ
MD5:
SHA256:
2896Wow_Patched.exeC:\Users\admin\Desktop\Data\texture.MPQ.temp
MD5:
SHA256:
2896Wow_Patched.exeC:\Users\admin\Desktop\Data\texture.MPQ
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
4
DNS requests
3
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2116
Wow_Patched.exe
GET
200
72.247.184.129:80
http://dist.blizzard.com.edgesuite.net/wow-pod-retail/NA/config_retail_CEBCF34561DDF1DD745F8E30C45568A7.xml
NL
text
2.65 Kb
malicious
2896
Wow_Patched.exe
POST
200
137.221.106.19:1119
http://enUS.patch.battle.net:1119/patch
FR
text
489 b
suspicious
2116
Wow_Patched.exe
POST
200
137.221.106.19:1119
http://enUS.patch.battle.net:1119/patch
FR
text
489 b
suspicious
2896
Wow_Patched.exe
GET
200
72.247.184.129:80
http://dist.blizzard.com.edgesuite.net/wow-pod-retail/NA/config_retail_CEBCF34561DDF1DD745F8E30C45568A7.xml
NL
text
2.65 Kb
malicious
2896
Wow_Patched.exe
GET
200
72.247.184.129:80
http://dist.blizzard.com.edgesuite.net/wow-pod-retail/NA/15890.direct/wow-18414-447E3E618F731CCBF4F7D2C4E56C5644.mfil
NL
text
58.4 Kb
malicious
2896
Wow_Patched.exe
GET
206
72.247.184.129:80
http://dist.blizzard.com.edgesuite.net/wow-pod-retail/NA/15890.direct/Data/enUS/wow-update-enUS-18273.MPQ
NL
mpq
16.0 Kb
malicious
2896
Wow_Patched.exe
GET
206
72.247.184.129:80
http://dist.blizzard.com.edgesuite.net/wow-pod-retail/NA/15890.direct/Data/enUS/wow-update-enUS-18273.MPQ
NL
binary
4.06 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2116
Wow_Patched.exe
137.221.106.19:1119
enus.patch.battle.net
Blizzard Entertainment, Inc
FR
suspicious
2896
Wow_Patched.exe
137.221.106.19:1119
enus.patch.battle.net
Blizzard Entertainment, Inc
FR
suspicious
2116
Wow_Patched.exe
72.247.184.129:80
dist.blizzard.com.edgesuite.net
Akamai International B.V.
NL
whitelisted
2896
Wow_Patched.exe
72.247.184.129:80
dist.blizzard.com.edgesuite.net
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
enus.patch.battle.net
  • 137.221.106.19
suspicious
dist.blizzard.com.edgesuite.net
  • 72.247.184.129
  • 72.247.184.153
malicious
llnw.blizzard.com
unknown

Threats

PID
Process
Class
Message
2116
Wow_Patched.exe
Potential Corporate Privacy Violation
ET GAMES Blizzard Downloader Client User-Agent (Blizzard Downloader 2.x)
2116
Wow_Patched.exe
Potential Corporate Privacy Violation
ET GAMES Blizzard Web Downloader Install Detected
2116
Wow_Patched.exe
Potential Corporate Privacy Violation
ET GAMES Blizzard Downloader Client User-Agent (Blizzard Downloader 2.x)
2116
Wow_Patched.exe
Potential Corporate Privacy Violation
ET GAMES Blizzard Web Downloader Install Detected
2896
Wow_Patched.exe
Potential Corporate Privacy Violation
ET GAMES Blizzard Downloader Client User-Agent (Blizzard Downloader 2.x)
2896
Wow_Patched.exe
Potential Corporate Privacy Violation
ET GAMES Blizzard Web Downloader Install Detected
2896
Wow_Patched.exe
Potential Corporate Privacy Violation
ET GAMES Blizzard Downloader Client User-Agent (Blizzard Downloader 2.x)
2896
Wow_Patched.exe
Potential Corporate Privacy Violation
ET GAMES Blizzard Web Downloader Install Detected
2896
Wow_Patched.exe
Potential Corporate Privacy Violation
ET GAMES Blizzard Downloader Client User-Agent (Blizzard Downloader 2.x)
2896
Wow_Patched.exe
Potential Corporate Privacy Violation
ET GAMES Blizzard Web Downloader Install Detected
Process
Message
Wow_Patched.exe
archive Data/enUS/wow-update-enUS-18273.MPQ opened
Wow_Patched.exe
Wow_Patched.exe
archive Data\Cache\enUS\patch-enUS-18273.MPQ opened for writing
Wow_Patched.exe
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
5.4.8 Warmane Exes.rar