File name:

warblade_warblade_1.2x_demo_anglais_10661.exe

Full analysis: https://app.any.run/tasks/64fd5380-0576-404d-a43f-166cc8218134
Verdict: Malicious activity
Analysis date: June 16, 2024, 14:22:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, InnoSetup self-extracting archive
MD5:

4290EA3498B42540D7DDA6715E830161

SHA1:

FF05735BDEBB128E4F71FC2DB1059D3F71615E76

SHA256:

D066F3AC1335259D350A6923B6C964B5ECFFB6745988E333F6225E17699FFFD2

SSDEEP:

98304:nvjSBOJgsvEgBx2rFtFlElf14kuuhh50OJhUBtxBQ5jg4b23itoq6fchNGDsPYlY:gBv+wPeHwEraFJdeWyR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • is-QGI20.tmp (PID: 2072)
      • warblade_warblade_1.2x_demo_anglais_10661.exe (PID: 4080)

    • Creates a writable file in the system directory

      • is-QGI20.tmp (PID: 2072)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • is-QGI20.tmp (PID: 2072)
      • warblade_warblade_1.2x_demo_anglais_10661.exe (PID: 4080)

    • Reads the Windows owner or organization settings

      • is-QGI20.tmp (PID: 2072)

    • Reads the Internet Settings

      • warblade.exe (PID: 1036)

    • Process drops legitimate windows executable

      • is-QGI20.tmp (PID: 2072)

  • INFO

    • Checks supported languages

      • warblade_warblade_1.2x_demo_anglais_10661.exe (PID: 4080)
      • is-QGI20.tmp (PID: 2072)
      • warblade.exe (PID: 1036)

    • Create files in a temporary directory

      • is-QGI20.tmp (PID: 2072)
      • warblade_warblade_1.2x_demo_anglais_10661.exe (PID: 4080)
      • warblade.exe (PID: 1036)

    • Reads the computer name

      • is-QGI20.tmp (PID: 2072)
      • warblade.exe (PID: 1036)

    • Creates files in the program directory

      • is-QGI20.tmp (PID: 2072)
      • warblade.exe (PID: 1036)

    • Reads the machine GUID from the registry

      • warblade.exe (PID: 1036)

    • Creates a software uninstall entry

      • is-QGI20.tmp (PID: 2072)

    • Application launched itself

      • msedge.exe (PID: 284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (82.8)
.exe | Win32 Executable Delphi generic (10.7)
.exe | Win32 Executable (generic) (3.4)
.exe | Generic Win/DOS Executable (1.5)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 35328
InitializedDataSize: 16896
UninitializedDataSize: -
EntryPoint: 0x9264
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: This installation was built with Inno Setup: http://www.innosetup.com
CompanyName: Edgar M Vigdal, EMV Software
FileDescription: Warblade v1.2X Demo Setup
FileVersion:
InternalName: -
OriginalFileName: -
ProductName: -
ProductVersion: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start warblade_warblade_1.2x_demo_anglais_10661.exe is-qgi20.tmp warblade.exe no specs msedge.exe no specs msedge.exe no specs warblade_warblade_1.2x_demo_anglais_10661.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
284"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.warblade.as/register.aspC:\Program Files\Microsoft\Edge\Application\msedge.exewarblade.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
1036"C:\Program Files\Warblade\warblade.exe"C:\Program Files\Warblade\warblade.exeis-QGI20.tmp
User:
admin
Company:
Edgar M Vigdal
Integrity Level:
HIGH
Description:
WarBlade
Version:
1, 0, 0, 1
Modules
Images
c:\program files\warblade\warblade.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2008"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0x170,0x174,0x178,0x144,0x180,0x6c7ef598,0x6c7ef5a8,0x6c7ef5b4C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
2072"C:\Users\admin\AppData\Local\Temp\is-18ING.tmp\is-QGI20.tmp" /SL4 $30138 C:\Users\admin\AppData\Local\Temp\warblade_warblade_1.2x_demo_anglais_10661.exe 8746524 50688 C:\Users\admin\AppData\Local\Temp\is-18ING.tmp\is-QGI20.tmp
warblade_warblade_1.2x_demo_anglais_10661.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\is-18ing.tmp\is-qgi20.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
3984"C:\Users\admin\AppData\Local\Temp\warblade_warblade_1.2x_demo_anglais_10661.exe" C:\Users\admin\AppData\Local\Temp\warblade_warblade_1.2x_demo_anglais_10661.exeexplorer.exe
User:
admin
Company:
Edgar M Vigdal, EMV Software
Integrity Level:
MEDIUM
Description:
Warblade v1.2X Demo Setup
Exit code:
3221226540
Version:
Modules
Images
c:\users\admin\appdata\local\temp\warblade_warblade_1.2x_demo_anglais_10661.exe
c:\windows\system32\ntdll.dll
4080"C:\Users\admin\AppData\Local\Temp\warblade_warblade_1.2x_demo_anglais_10661.exe" C:\Users\admin\AppData\Local\Temp\warblade_warblade_1.2x_demo_anglais_10661.exe
explorer.exe
User:
admin
Company:
Edgar M Vigdal, EMV Software
Integrity Level:
HIGH
Description:
Warblade v1.2X Demo Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\warblade_warblade_1.2x_demo_anglais_10661.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
Total events
3 433
Read events
3 397
Write events
36
Delete events
0

Modification events

(PID) Process:(2072) is-QGI20.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Warblade v1.2X Demo_is1
Operation:writeName:Inno Setup: Setup Version
Value:
4.2.7
(PID) Process:(2072) is-QGI20.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Warblade v1.2X Demo_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\Warblade
(PID) Process:(2072) is-QGI20.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Warblade v1.2X Demo_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\Warblade\
(PID) Process:(2072) is-QGI20.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Warblade v1.2X Demo_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Warblade
(PID) Process:(2072) is-QGI20.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Warblade v1.2X Demo_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(2072) is-QGI20.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Warblade v1.2X Demo_is1
Operation:writeName:Inno Setup: Selected Tasks
Value:
desktopicon
(PID) Process:(2072) is-QGI20.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Warblade v1.2X Demo_is1
Operation:writeName:Inno Setup: Deselected Tasks
Value:
quicklaunchicon
(PID) Process:(2072) is-QGI20.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Warblade v1.2X Demo_is1
Operation:writeName:DisplayName
Value:
Warblade v1.2X Demo
(PID) Process:(2072) is-QGI20.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Warblade v1.2X Demo_is1
Operation:writeName:UninstallString
Value:
"C:\Program Files\Warblade\unins000.exe"
(PID) Process:(2072) is-QGI20.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Warblade v1.2X Demo_is1
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files\Warblade\unins000.exe" /SILENT
Executable files
13
Suspicious files
169
Text files
24
Unknown types
307

Dropped files

PID
Process
Filename
Type
2072is-QGI20.tmpC:\Program Files\Warblade\is-8CR35.tmpexecutable
MD5:BF15CE70E055955FAFD81A18EC1C0771
SHA256:BCE9CA64313AE3F10372A95D373D1E5C8B2C545B75FDB5EDDC3C8391FF4B02A4
2072is-QGI20.tmpC:\Program Files\Warblade\CrashReportSender.exeexecutable
MD5:4C3B741109CCE9E1845B630F7D7843B8
SHA256:E87510AF654DF42B477A0D8C0344EC687C6669529FDDB3B4AD3AF9DDA37C9BED
2072is-QGI20.tmpC:\Program Files\Warblade\Important new version notes_V1.2x_eng.txttext
MD5:BCBE14634FB136477E28A424DE225822
SHA256:8FA645D24566C831942CBD3DA846A229DF4ADA95E4FF4C1A69C6D0842074331E
2072is-QGI20.tmpC:\Program Files\Warblade\is-CR3J2.tmptext
MD5:C4D238FF32712B3FAE271B94ADABF4F0
SHA256:83037BB2C770D8571844694887B08C20630A46C92948930E309D7A2DD6F67DD9
2072is-QGI20.tmpC:\Users\admin\AppData\Local\Temp\is-EN2QT.tmp\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
2072is-QGI20.tmpC:\Program Files\Warblade\unins000.exeexecutable
MD5:BF15CE70E055955FAFD81A18EC1C0771
SHA256:BCE9CA64313AE3F10372A95D373D1E5C8B2C545B75FDB5EDDC3C8391FF4B02A4
2072is-QGI20.tmpC:\Program Files\Warblade\Important new version notes_V1.2x_fre.txttext
MD5:06CEED35D0A965FB46680E277281DBA2
SHA256:2D667707AC71B642FB5F52D212B09EAAC92F7BF1BA0D8CF0FEF0920B3BFE4906
2072is-QGI20.tmpC:\Program Files\Warblade\fmod.dllexecutable
MD5:F51A7DD4D040A9C079CF64D36F569673
SHA256:7C6F7495D0A981F646BC23FDB39C0E349C598F5D6F4EF0EE58311338AE760194
2072is-QGI20.tmpC:\Program Files\Warblade\is-QK47O.tmpexecutable
MD5:3D62E21FCA49D101F95F9BB7521F767A
SHA256:2138959FBE29F7955A8FCCEEC840FAAE0903E01654CDA709A05C41C425F6EC02
2072is-QGI20.tmpC:\Program Files\Warblade\warblade.exeexecutable
MD5:3D62E21FCA49D101F95F9BB7521F767A
SHA256:2138959FBE29F7955A8FCCEEC840FAAE0903E01654CDA709A05C41C425F6EC02
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
warblade_warblade_1.2x_demo_anglais_10661.exe