File name:

Battle.net-Setup.exe

Full analysis: https://app.any.run/tasks/0886c848-483a-4c0d-a628-9827dd194bab
Verdict: Malicious activity
Analysis date: December 06, 2024, 11:50:44
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

F7FE24CEBBC4B0332C77BCE563E11B1D

SHA1:

744968C9193E5A1B96941695600D3770E61A6FFA

SHA256:

002F33FEE7B8A159058368B7E93E492931C4CA72E90660BDB2691BCD62FEDD3C

SSDEEP:

98304:sdpEDlZPq7VZYLwZ6SbP+04w1n+5aSdNbgl8LoA94D1PfjWEeJfZX/BufZdERaQP:jqO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Checks for external IP

      • Battle.net-Setup.exe (PID: 3732)

    • Connects to unusual port

      • Battle.net-Setup.exe (PID: 3732)

    • Potential Corporate Privacy Violation

      • Battle.net-Setup.exe (PID: 3732)

  • INFO

    • Checks supported languages

      • Battle.net-Setup.exe (PID: 3732)

    • Checks proxy server information

      • Battle.net-Setup.exe (PID: 3732)

    • Creates files in the program directory

      • Battle.net-Setup.exe (PID: 3732)

    • Reads the machine GUID from the registry

      • Battle.net-Setup.exe (PID: 3732)

    • Reads the computer name

      • Battle.net-Setup.exe (PID: 3732)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:08:04 01:44:13+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.15
CodeSize: 2932736
InitializedDataSize: 1978368
UninitializedDataSize: -
EntryPoint: 0x13b686
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.18.10.3141
ProductVersionNumber: 1.18.10.3141
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
LegalCopyright: © 2005-2023 Blizzard Entertainment Inc.
InternalName: Battle.net Setup
FileVersion: 1.18.10.3141
CompanyName: Blizzard Entertainment
ProductName: Battle.net Setup
ProductVersion: 1.18.10.3141
FileDescription: Battle.net Setup
OriginalFileName: Battle.net-Setup.exe
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start battle.net-setup.exe

Process information

PID
CMD
Path
Indicators
Parent process
3732"C:\Users\admin\AppData\Local\Temp\Battle.net-Setup.exe" C:\Users\admin\AppData\Local\Temp\Battle.net-Setup.exe
explorer.exe
User:
admin
Company:
Blizzard Entertainment
Integrity Level:
MEDIUM
Description:
Battle.net Setup
Version:
1.18.10.3141
Modules
Images
c:\users\admin\appdata\local\temp\battle.net-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\rpcrt4.dll
Total events
370
Read events
369
Write events
1
Delete events
0

Modification events

(PID) Process:(3732) Battle.net-Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Blizzard Entertainment\Blizzard Error
Operation:writeName:UserUUID
Value:
98628D41-39BA-49F5-8435-9C09B1C0697E
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
34
DNS requests
19
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3732
Battle.net-Setup.exe
GET
204
34.253.98.116:80
http://nydus.battle.net/geoip
unknown
whitelisted
3732
Battle.net-Setup.exe
POST
66.40.185.57:3724
http://iir.blizzard.com:3724/submit/BNET_APP
unknown
whitelisted
3732
Battle.net-Setup.exe
POST
66.40.185.57:3724
http://iir.blizzard.com:3724/submit/BNET_APP
unknown
whitelisted
5880
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5880
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2356
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5080
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5080
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5880
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1140
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3732
Battle.net-Setup.exe
34.253.98.116:80
nydus.battle.net
AMAZON-02
IE
whitelisted
3732
Battle.net-Setup.exe
66.40.185.57:3724
iir.blizzard.com
US
whitelisted
5880
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5880
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5880
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.142
whitelisted
nydus.battle.net
  • 34.253.98.116
  • 54.171.236.85
whitelisted
iir.blizzard.com
  • 66.40.185.57
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.147
  • 23.48.23.164
  • 23.48.23.176
  • 23.48.23.166
  • 23.48.23.173
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
www.bing.com
  • 2.23.209.189
  • 2.23.209.130
  • 2.23.209.149
  • 2.23.209.133
  • 2.23.209.185
  • 2.23.209.179
  • 2.23.209.140
  • 2.23.209.182
  • 2.23.209.148
whitelisted
login.live.com
  • 20.190.160.22
  • 40.126.32.68
  • 40.126.32.138
  • 40.126.32.72
  • 40.126.32.74
  • 40.126.32.136
  • 20.190.160.20
  • 20.190.160.14
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.32.186.57
whitelisted

Threats

PID
Process
Class
Message
3732
Battle.net-Setup.exe
Potential Corporate Privacy Violation
ET POLICY GeoIP Lookup (nydus.battle.net)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Battle.net-Setup.exe