Malware analysis Battle.net-Setup.exe Malicious activity

Add for printing

File name:	Battle.net-Setup.exe
Full analysis:	https://app.any.run/tasks/89a7d917-d880-45a2-817f-e9c0d783eaf1
Verdict:	Malicious activity
Analysis date:	July 01, 2025, 04:57:37
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	evasion qrcode
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	F7FE24CEBBC4B0332C77BCE563E11B1D
SHA1:	744968C9193E5A1B96941695600D3770E61A6FFA
SHA256:	002F33FEE7B8A159058368B7E93E492931C4CA72E90660BDB2691BCD62FEDD3C
SSDEEP:	98304:sdpEDlZPq7VZYLwZ6SbP+04w1n+5aSdNbgl8LoA94D1PfjWEeJfZX/BufZdERaQP:jqO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - Battle.net.exe (PID: 4944)
SUSPICIOUS
- Checks for external IP
  - Battle.net-Setup.exe (PID: 4500)
  - Battle.net-Setup.exe (PID: 5764)
- Potential Corporate Privacy Violation
  - Battle.net-Setup.exe (PID: 4500)
  - Battle.net-Setup.exe (PID: 5764)
- Connects to unusual port
  - Battle.net-Setup.exe (PID: 4500)
  - Battle.net-Setup.exe (PID: 5764)
  - Agent.exe (PID: 5116)
  - Battle.net.exe (PID: 4944)
- Reads security settings of Internet Explorer
  - Battle.net-Setup.exe (PID: 4500)
  - Agent.exe (PID: 5564)
  - Battle.net-Setup.exe (PID: 5764)
  - AgentHelper.exe (PID: 4752)
  - Agent.exe (PID: 5116)
  - Battle.net.exe (PID: 4944)
  - Battle.net.exe (PID: 3956)
  - Battle.net.exe (PID: 4172)
  - Battle.net.exe (PID: 6672)
  - Battle.net.exe (PID: 5848)
  - Battle.net.exe (PID: 1068)
  - Battle.net.exe (PID: 888)
  - Battle.net.exe (PID: 3760)
  - Battle.net.exe (PID: 1880)
- Application launched itself
  - Battle.net-Setup.exe (PID: 4500)
  - Battle.net.exe (PID: 4944)
- Executable content was dropped or overwritten
  - Battle.net-Setup.exe (PID: 5764)
  - AgentHelper.exe (PID: 4752)
  - Agent.exe (PID: 5116)
- Process drops legitimate windows executable
  - Agent.exe (PID: 5116)
- The process drops C-runtime libraries
  - Agent.exe (PID: 5116)
- Adds/modifies Windows certificates
  - Agent.exe (PID: 5116)
- Detected use of alternative data streams (AltDS)
  - Battle.net.exe (PID: 4944)
- Creates a software uninstall entry
  - Agent.exe (PID: 5116)
- Searches for installed software
  - Agent.exe (PID: 5116)
- There is functionality for taking screenshot (YARA)
  - Battle.net.exe (PID: 3760)
  - Battle.net.exe (PID: 4944)
INFO
- Checks supported languages
  - Battle.net-Setup.exe (PID: 4500)
  - Battle.net-Setup.exe (PID: 5764)
  - Agent.exe (PID: 5564)
  - Agent.exe (PID: 5116)
  - AgentHelper.exe (PID: 4752)
  - Battle.net.exe (PID: 4944)
  - Battle.net.exe (PID: 4172)
  - SearchApp.exe (PID: 5328)
  - Battle.net.exe (PID: 6672)
  - Battle.net.exe (PID: 5848)
  - Battle.net.exe (PID: 888)
  - Battle.net.exe (PID: 1068)
  - Battle.net.exe (PID: 1880)
  - Battle.net.exe (PID: 3760)
  - Battle.net.exe (PID: 3956)
- Creates files in the program directory
  - Battle.net-Setup.exe (PID: 4500)
  - Battle.net-Setup.exe (PID: 5764)
  - Agent.exe (PID: 5564)
  - Agent.exe (PID: 5116)
  - AgentHelper.exe (PID: 4752)
- Reads the machine GUID from the registry
  - Battle.net-Setup.exe (PID: 4500)
  - Battle.net-Setup.exe (PID: 5764)
  - AgentHelper.exe (PID: 4752)
  - Agent.exe (PID: 5116)
  - Battle.net.exe (PID: 4944)
  - Battle.net.exe (PID: 4172)
  - Battle.net.exe (PID: 6672)
  - Battle.net.exe (PID: 5848)
  - Battle.net.exe (PID: 3956)
  - Battle.net.exe (PID: 1068)
  - Battle.net.exe (PID: 888)
  - Battle.net.exe (PID: 3760)
  - SearchApp.exe (PID: 5328)
  - Battle.net.exe (PID: 1880)
- Checks proxy server information
  - Battle.net-Setup.exe (PID: 4500)
  - Battle.net-Setup.exe (PID: 5764)
  - Agent.exe (PID: 5116)
  - slui.exe (PID: 6460)
  - Battle.net.exe (PID: 4944)
- Reads the computer name
  - Battle.net-Setup.exe (PID: 4500)
  - Battle.net-Setup.exe (PID: 5764)
  - Agent.exe (PID: 5564)
  - Agent.exe (PID: 5116)
  - AgentHelper.exe (PID: 4752)
  - Battle.net.exe (PID: 4944)
  - Battle.net.exe (PID: 4172)
  - Battle.net.exe (PID: 3956)
  - Battle.net.exe (PID: 6672)
  - Battle.net.exe (PID: 5848)
  - Battle.net.exe (PID: 888)
  - Battle.net.exe (PID: 3760)
  - Battle.net.exe (PID: 1068)
  - Battle.net.exe (PID: 1880)
- Reads the software policy settings
  - Battle.net-Setup.exe (PID: 4500)
  - Battle.net-Setup.exe (PID: 5764)
  - AgentHelper.exe (PID: 4752)
  - Agent.exe (PID: 5116)
  - Battle.net.exe (PID: 4944)
  - slui.exe (PID: 6460)
  - Battle.net.exe (PID: 3956)
  - Battle.net.exe (PID: 4172)
  - Battle.net.exe (PID: 5848)
  - Battle.net.exe (PID: 6672)
  - Battle.net.exe (PID: 888)
  - Battle.net.exe (PID: 1068)
  - Battle.net.exe (PID: 3760)
  - Battle.net.exe (PID: 1880)
  - SearchApp.exe (PID: 5328)
- Process checks computer location settings
  - Battle.net-Setup.exe (PID: 4500)
  - Battle.net-Setup.exe (PID: 5764)
  - Agent.exe (PID: 5564)
  - Agent.exe (PID: 5116)
  - SearchApp.exe (PID: 5328)
  - Battle.net.exe (PID: 4944)
  - Battle.net.exe (PID: 888)
- Creates files or folders in the user directory
  - Battle.net-Setup.exe (PID: 4500)
  - Battle.net-Setup.exe (PID: 5764)
  - Agent.exe (PID: 5116)
  - Battle.net.exe (PID: 4944)
  - Battle.net.exe (PID: 6672)
- The sample compiled with english language support
  - Battle.net-Setup.exe (PID: 5764)
  - Agent.exe (PID: 5116)
  - AgentHelper.exe (PID: 4752)
- Launching a file from a Registry key
  - Battle.net.exe (PID: 4944)
- Create files in a temporary directory
  - Battle.net.exe (PID: 4944)
- Manual execution by a user
  - chrome.exe (PID: 3160)
- Application launched itself
  - chrome.exe (PID: 3160)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:08:04 01:44:13+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.15
CodeSize:	2932736
InitializedDataSize:	1978368
UninitializedDataSize:	-
EntryPoint:	0x13b686
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.18.10.3141
ProductVersionNumber:	1.18.10.3141
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
LegalCopyright:	© 2005-2023 Blizzard Entertainment Inc.
InternalName:	Battle.net Setup
FileVersion:	1.18.10.3141
CompanyName:	Blizzard Entertainment
ProductName:	Battle.net Setup
ProductVersion:	1.18.10.3141
FileDescription:	Battle.net Setup
OriginalFileName:	Battle.net-Setup.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

182

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

888

"C:\Program Files (x86)\Battle.net\Battle.net.exe" --type=renderer --log-severity=error --user-agent-product="Battle.net/2.44.1.15492 (retail) Chrome/108.0.5359.125" --disable-spell-checking --uncaught-exception-stack-size=10 --user-data-dir="C:\Users\admin\AppData\Local\CEF\User Data" --watch-browser-pid=4944 --first-renderer-process --no-sandbox --log-file="C:\Users\admin\AppData\Local\Battle.net\Logs\libcef-20250701T045942.014030.log" --lang=ko --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4052 --field-trial-handle=2940,i,6878340517334278624,1169452365950933185,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,ForcedColors,HardwareMediaKeyHandling,WinUseBrowserSpellChecker --battle-net-helper=Battle.net.15492 /prefetch:1

C:\Program Files (x86)\Battle.net\Battle.net.exe

—

Battle.net.exe

User:

admin

Company:

Blizzard Entertainment

Integrity Level:

MEDIUM

Description:

Battle․net

Exit code:

Version:

2.44.1.15492

Modules

Images
c:\program files (x86)\battle.net\battle.net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

1068

"C:\Program Files (x86)\Battle.net\Battle.net.exe" --type=gpu-process --no-sandbox --log-severity=error --user-agent-product="Battle.net/2.44.1.15492 (retail) Chrome/108.0.5359.125" --lang=ko --user-data-dir="C:\Users\admin\AppData\Local\CEF\User Data" --watch-browser-pid=4944 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\admin\AppData\Local\Battle.net\Logs\libcef-20250701T045942.014030.log" --mojo-platform-channel-handle=3992 --field-trial-handle=2940,i,6878340517334278624,1169452365950933185,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,ForcedColors,HardwareMediaKeyHandling,WinUseBrowserSpellChecker /prefetch:2 --battle-net-helper=Battle.net.15492

C:\Program Files (x86)\Battle.net\Battle.net.exe

Battle.net.exe

User:

admin

Company:

Blizzard Entertainment

Integrity Level:

MEDIUM

Description:

Battle․net

Exit code:

Version:

2.44.1.15492

Modules

Images
c:\program files (x86)\battle.net\battle.net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

1352

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=3788,i,12125815392164362591,13121075604119292790,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=4976 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1520

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1976,i,12125815392164362591,13121075604119292790,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=1964 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1880

"C:\Program Files (x86)\Battle.net\Battle.net.exe" --type=gpu-process --no-sandbox --log-severity=error --user-agent-product="Battle.net/2.44.1.15492 (retail) Chrome/108.0.5359.125" --lang=ko --user-data-dir="C:\Users\admin\AppData\Local\CEF\User Data" --watch-browser-pid=4944 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Users\admin\AppData\Local\Battle.net\Logs\libcef-20250701T045942.014030.log" --mojo-platform-channel-handle=4356 --field-trial-handle=2940,i,6878340517334278624,1169452365950933185,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,ForcedColors,HardwareMediaKeyHandling,WinUseBrowserSpellChecker /prefetch:2 --battle-net-helper=Battle.net.15492

C:\Program Files (x86)\Battle.net\Battle.net.exe

Battle.net.exe

User:

admin

Company:

Blizzard Entertainment

Integrity Level:

MEDIUM

Description:

Battle․net

Exit code:

Version:

2.44.1.15492

Modules

Images
c:\program files (x86)\battle.net\battle.net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

2200

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2368

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=5084,i,12125815392164362591,13121075604119292790,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=5068 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

3160

"C:\Program Files\Google\Chrome\Application\chrome.exe" "--disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints"

C:\Program Files\Google\Chrome\Application\chrome.exe

explorer.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

3540

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=2256,i,12125815392164362591,13121075604119292790,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=2260 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

3748

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,12125815392164362591,13121075604119292790,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=3204 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

Add for printing

Total events

57 522

Read events

57 368

Write events

126

Delete events

Modification events


(PID) Process:	(4500) Battle.net-Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Blizzard Entertainment\Blizzard Error
Operation:	write	Name:	UserUUID
Value: 7FD31F8C-5B1C-4F8F-849B-4239A2CCC98E
(PID) Process:	(4500) Battle.net-Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Blizzard Entertainment\Launcher
Operation:	write	Name:	Locale
Value: koKR
(PID) Process:	(5116) Agent.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Xbox\GamingApp\Extensions\Data\XPDM5VSMTKQLBJ
Operation:	write	Name:	State
Value: 0
(PID) Process:	(5116) Agent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{257A53D9-0BBB-476B-9500-A888092E0260}
Operation:	write	Name:	AppId
Value: {257A53D9-0BBB-476B-9500-A888092E0260}
(PID) Process:	(5116) Agent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{257A53D9-0BBB-476B-9500-A888092E0260}
Operation:	write	Name:	AppIdFlags
Value: 0
(PID) Process:	(5116) Agent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{257A53D9-0BBB-476B-9500-A888092E0260}
Operation:	write	Name:	RunAs
Value: Interactive User
(PID) Process:	(5116) Agent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{257A53D9-0BBB-476B-9500-A888092E0260}
Operation:	write	Name:	LaunchPermission
Value: 0100148094000000A0000000140000003000000002001C000100000011001400040000000101000000000010001000000200640003000000000014000B000000010100000000000100000000000018000B000000010200000000000F0200000001000000000030000B000000010800000000000F0200000076C8B566B196B8807BDF0386522D4758FA9855746BD04DA4099286D401010000000000050A00000001020000000000052000000021020000
(PID) Process:	(5116) Agent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{257A53D9-0BBB-476B-9500-A888092E0260}
Operation:	write	Name:	AccessPermission
Value: 0100148094000000A0000000140000003000000002001C000100000011001400040000000101000000000010001000000200640003000000000014000B000000010100000000000100000000000018000B000000010200000000000F0200000001000000000030000B000000010800000000000F0200000076C8B566B196B8807BDF0386522D4758FA9855746BD04DA4099286D401010000000000050A00000001020000000000052000000021020000
(PID) Process:	(5116) Agent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Xbox\GamingApp\Extensions\Data\XPDM5VSMTKQLBJ
Operation:	write	Name:	ExtensionType
Value: 0
(PID) Process:	(5116) Agent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Xbox\GamingApp\Extensions\Data\XPDM5VSMTKQLBJ
Operation:	write	Name:	Name
Value: Battle.net App Xbox Extension

Add for printing

Executable files

155

Suspicious files

981

Text files

847

Unknown types

Dropped files

PID	Process	Filename		Type
4500	Battle.net-Setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_B717F9EACC1FD87B066F7B1136975CF6		binary
		MD5:133F0B069F58DD6175D88F128114DB85	SHA256:E1C1103C82D72A2B5B4175B4626729C38E7A3CC5F068E21B087E835610A5404D
5764	Battle.net-Setup.exe	C:\ProgramData\Battle.net\Setup\bna_2\Logs\battle.net-setup-20250701T045814.log		text
		MD5:30071DEC253F6D331DBE0931A2CF650E	SHA256:39E82B63CDBB078F7E87905961DE507AE97E912A858262932071E89CC6E636DC
4500	Battle.net-Setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5		der
		MD5:67E74FAF4D9E259649B5A03A2D7D56F7	SHA256:218C680187791D2217E04C5D9A2481B19F507197179F2071B306B16E1C18BDC4
4500	Battle.net-Setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5		binary
		MD5:7240D2C497330F00F45E9DF15650949C	SHA256:B20D6E5314A92316F64B7C57878274308ADCAA208B2A5BB7631AC07155B44A75
4500	Battle.net-Setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_B717F9EACC1FD87B066F7B1136975CF6		der
		MD5:CE77448200798E1FC619CCFD5BC5EE72	SHA256:5B14FF4D680AB04368ABEB6141804A1BDDFFF6EEC21AE727FD9B7E2BDA701973
5764	Battle.net-Setup.exe	C:\ProgramData\Battle.net\Agent\Agent.9166\.Agent.exe.19.5764.temp		executable
		MD5:2B9580C3FC3E06F5BBB05597951B449E	SHA256:402E0FA8C541614D8A7B812860B8AE97DC59AC1A0FB4D45817ED7FCB66716B69
5764	Battle.net-Setup.exe	C:\ProgramData\Battle.net\Agent\.Blizzard Uninstaller.exe.13.5764.temp		executable
		MD5:B8BB284B7CD26643DF6876D665FBDE02	SHA256:117420F75D1D5DB1B3908E0728F748198D37894AF980F7614226480C7DD7BAEB
5764	Battle.net-Setup.exe	C:\ProgramData\Battle.net\Agent\.Blizzard Uninstaller.exe.11.5764.temp		binary
		MD5:39BDB3BFAF3ED89FAD4865E7C70BCA6E	SHA256:44EBF0CB8E9E3148A57E8767D3A0EAA46CD0180137237B7771FB62E2E9E75DD8
4500	Battle.net-Setup.exe	C:\ProgramData\Battle.net\Setup\bna_2\Logs\battle.net-setup-20250701T045743.log		text
		MD5:B85E929A4319960A43EFC88DDDBB2BAF	SHA256:4F8169AF5ADFBFF3636801A19B54B98118BE764775B05A4CA54D2489958C3A1C
5764	Battle.net-Setup.exe	C:\ProgramData\Battle.net\Agent\..Blizzard Uninstaller.exe.11.5764.temp.12.5764.temp.temp		executable
		MD5:B8BB284B7CD26643DF6876D665FBDE02	SHA256:117420F75D1D5DB1B3908E0728F748198D37894AF980F7614226480C7DD7BAEB

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

292

TCP/UDP connections

261

DNS requests

132

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4500	Battle.net-Setup.exe	POST	—	66.40.185.57:3724	http://iir.blizzard.com:3724/submit/BNET_APP	unknown	—	—	whitelisted
4500	Battle.net-Setup.exe	GET	204	34.255.143.229:80	http://nydus.battle.net/geoip	unknown	—	—	whitelisted
4500	Battle.net-Setup.exe	POST	—	66.40.185.57:3724	http://iir.blizzard.com:3724/submit/BNET_APP	unknown	—	—	whitelisted
892	svchost.exe	GET	200	2.22.98.7:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	173.223.117.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	2.20.245.136:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3756	SIHClient.exe	GET	200	173.223.117.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
4500	Battle.net-Setup.exe	GET	200	2.22.98.7:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D	unknown	—	—	whitelisted
3756	SIHClient.exe	GET	200	173.223.117.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
5764	Battle.net-Setup.exe	GET	204	34.255.143.229:80	http://nydus.battle.net/geoip	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4708	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4500	Battle.net-Setup.exe	34.255.143.229:80	nydus.battle.net	AMAZON-02	IE	whitelisted
4500	Battle.net-Setup.exe	66.40.185.57:3724	iir.blizzard.com	—	US	whitelisted
2336	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
892	svchost.exe	20.190.160.130:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
892	svchost.exe	2.22.98.7:80	ocsp.digicert.com	AKAMAI-AS	GB	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
google.com	142.250.186.46	whitelisted
nydus.battle.net	34.255.143.229 54.76.17.58	whitelisted
iir.blizzard.com	66.40.185.57	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
login.live.com	20.190.160.130 20.190.160.65 20.190.160.66 40.126.32.136 20.190.160.22 20.190.160.64 20.190.160.14 40.126.32.138 20.190.160.20 20.190.160.128 20.190.160.2 40.126.32.134 40.126.32.74	whitelisted
ocsp.digicert.com	2.22.98.7 2.23.77.188	whitelisted
nexusrules.officeapps.live.com	52.111.229.48	whitelisted
crl.microsoft.com	2.20.245.136 2.20.245.139	whitelisted
www.microsoft.com	173.223.117.131	whitelisted

Threats

PID	Process	Class	Message
4500	Battle.net-Setup.exe	Potential Corporate Privacy Violation	ET INFO GeoIP Lookup (nydus.battle.net)
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
5764	Battle.net-Setup.exe	Potential Corporate Privacy Violation	ET INFO GeoIP Lookup (nydus.battle.net)
5116	Agent.exe	A Network Trojan was detected	ET USER_AGENTS Suspicious User Agent (agent)
5116	Agent.exe	A Network Trojan was detected	ET USER_AGENTS Suspicious User Agent (agent)
2200	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
—	—	Potentially Bad Traffic	ET INFO Referrer-Policy set to unsafe-url
—	—	Potentially Bad Traffic	ET INFO Referrer-Policy set to unsafe-url
—	—	Potentially Bad Traffic	ET INFO Referrer-Policy set to unsafe-url
—	—	Potentially Bad Traffic	ET INFO Referrer-Policy set to unsafe-url

Add for printing

Process	Message
Battle.net.exe	[0701/045942.664:ERROR:angle_platform_impl.cc(43)] RendererVk.cpp:144 (VerifyExtensionsPresent): Extension not supported: VK_KHR_win32_surface
Battle.net.exe	[0701/045942.664:ERROR:gl_display.cc(508)] EGL Driver message (Critical) eglInitialize: Internal Vulkan error (-7): A requested extension is not supported, in ..\..\third_party\angle\src\libANGLE\renderer\vulkan\RendererVk.cpp, initialize:1594.
Battle.net.exe	[0701/045942.664:ERROR:gl_display.cc(920)] eglInitialize SwANGLE failed with error EGL_NOT_INITIALIZED
Battle.net.exe	[0701/045942.664:ERROR:angle_platform_impl.cc(43)] Display.cpp:1004 (initialize): ANGLE Display::initialize error 0: Internal Vulkan error (-7): A requested extension is not supported, in ..\..\third_party\angle\src\libANGLE\renderer\vulkan\RendererVk.cpp, initialize:1594.
Battle.net.exe	[0701/045942.664:ERROR:viz_main_impl.cc(186)] Exiting GPU process due to errors during initialization
Battle.net.exe	[0701/045942.664:ERROR:angle_platform_impl.cc(43)] RendererVk.cpp:144 (VerifyExtensionsPresent): Extension not supported: VK_KHR_surface
Battle.net.exe	[0701/045942.664:ERROR:gl_initializer_win.cc(133)] GLDisplayEGL::Initialize failed.
Battle.net.exe	[0701/045943.086:ERROR:angle_platform_impl.cc(43)] RendererVk.cpp:144 (VerifyExtensionsPresent): Extension not supported: VK_KHR_surface
Battle.net.exe	[0701/045943.086:ERROR:angle_platform_impl.cc(43)] RendererVk.cpp:144 (VerifyExtensionsPresent): Extension not supported: VK_KHR_win32_surface
Battle.net.exe	[0701/045943.086:ERROR:angle_platform_impl.cc(43)] Display.cpp:1004 (initialize): ANGLE Display::initialize error 0: Internal Vulkan error (-7): A requested extension is not supported, in ..\..\third_party\angle\src\libANGLE\renderer\vulkan\RendererVk.cpp, initialize:1594.

General Info

Battle.net-Setup.exe

F7FE24CEBBC4B0332C77BCE563E11B1D

744968C9193E5A1B96941695600D3770E61A6FFA

002F33FEE7B8A159058368B7E93E492931C4CA72E90660BDB2691BCD62FEDD3C

98304:sdpEDlZPq7VZYLwZ6SbP+04w1n+5aSdNbgl8LoA94D1PfjWEeJfZX/BufZdERaQP:jqO

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

SUSPICIOUS

Checks for external IP

Potential Corporate Privacy Violation

Connects to unusual port

Reads security settings of Internet Explorer

Application launched itself

Executable content was dropped or overwritten

Process drops legitimate windows executable

The process drops C-runtime libraries

Adds/modifies Windows certificates

Detected use of alternative data streams (AltDS)

Creates a software uninstall entry

Searches for installed software

There is functionality for taking screenshot (YARA)

INFO

Checks supported languages

Creates files in the program directory

Reads the machine GUID from the registry

Checks proxy server information

Reads the computer name

Reads the software policy settings

Process checks computer location settings

Creates files or folders in the user directory

The sample compiled with english language support

Launching a file from a Registry key

Create files in a temporary directory

Manual execution by a user

Application launched itself

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats