Malware analysis Battle.net-Setup.exe Malicious activity

Add for printing

File name:	Battle.net-Setup.exe
Full analysis:	https://app.any.run/tasks/89a7d917-d880-45a2-817f-e9c0d783eaf1
Verdict:	Malicious activity
Analysis date:	July 01, 2025, 04:57:37
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	evasion qrcode
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	F7FE24CEBBC4B0332C77BCE563E11B1D
SHA1:	744968C9193E5A1B96941695600D3770E61A6FFA
SHA256:	002F33FEE7B8A159058368B7E93E492931C4CA72E90660BDB2691BCD62FEDD3C
SSDEEP:	98304:sdpEDlZPq7VZYLwZ6SbP+04w1n+5aSdNbgl8LoA94D1PfjWEeJfZX/BufZdERaQP:jqO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - Battle.net.exe (PID: 4944)
SUSPICIOUS
- Connects to unusual port
  - Battle.net-Setup.exe (PID: 4500)
  - Battle.net-Setup.exe (PID: 5764)
  - Agent.exe (PID: 5116)
  - Battle.net.exe (PID: 4944)
- Checks for external IP
  - Battle.net-Setup.exe (PID: 4500)
  - Battle.net-Setup.exe (PID: 5764)
- Reads security settings of Internet Explorer
  - Battle.net-Setup.exe (PID: 4500)
  - Battle.net-Setup.exe (PID: 5764)
  - Agent.exe (PID: 5564)
  - Agent.exe (PID: 5116)
  - AgentHelper.exe (PID: 4752)
  - Battle.net.exe (PID: 4172)
  - Battle.net.exe (PID: 3956)
  - Battle.net.exe (PID: 6672)
  - Battle.net.exe (PID: 5848)
  - Battle.net.exe (PID: 1068)
  - Battle.net.exe (PID: 888)
  - Battle.net.exe (PID: 4944)
  - Battle.net.exe (PID: 1880)
  - Battle.net.exe (PID: 3760)
- Potential Corporate Privacy Violation
  - Battle.net-Setup.exe (PID: 4500)
  - Battle.net-Setup.exe (PID: 5764)
- Executable content was dropped or overwritten
  - Battle.net-Setup.exe (PID: 5764)
  - Agent.exe (PID: 5116)
  - AgentHelper.exe (PID: 4752)
- Application launched itself
  - Battle.net-Setup.exe (PID: 4500)
  - Battle.net.exe (PID: 4944)
- The process drops C-runtime libraries
  - Agent.exe (PID: 5116)
- Process drops legitimate windows executable
  - Agent.exe (PID: 5116)
- Creates a software uninstall entry
  - Agent.exe (PID: 5116)
- Adds/modifies Windows certificates
  - Agent.exe (PID: 5116)
- Searches for installed software
  - Agent.exe (PID: 5116)
- Detected use of alternative data streams (AltDS)
  - Battle.net.exe (PID: 4944)
- There is functionality for taking screenshot (YARA)
  - Battle.net.exe (PID: 4944)
  - Battle.net.exe (PID: 3760)
INFO
- Checks supported languages
  - Battle.net-Setup.exe (PID: 4500)
  - Agent.exe (PID: 5116)
  - Agent.exe (PID: 5564)
  - Battle.net-Setup.exe (PID: 5764)
  - AgentHelper.exe (PID: 4752)
  - SearchApp.exe (PID: 5328)
  - Battle.net.exe (PID: 3956)
  - Battle.net.exe (PID: 4172)
  - Battle.net.exe (PID: 6672)
  - Battle.net.exe (PID: 5848)
  - Battle.net.exe (PID: 1068)
  - Battle.net.exe (PID: 888)
  - Battle.net.exe (PID: 4944)
  - Battle.net.exe (PID: 1880)
  - Battle.net.exe (PID: 3760)
- Reads the computer name
  - Battle.net-Setup.exe (PID: 4500)
  - Battle.net-Setup.exe (PID: 5764)
  - Agent.exe (PID: 5116)
  - AgentHelper.exe (PID: 4752)
  - Agent.exe (PID: 5564)
  - Battle.net.exe (PID: 4944)
  - Battle.net.exe (PID: 4172)
  - Battle.net.exe (PID: 6672)
  - Battle.net.exe (PID: 3956)
  - Battle.net.exe (PID: 5848)
  - Battle.net.exe (PID: 1068)
  - Battle.net.exe (PID: 1880)
  - Battle.net.exe (PID: 3760)
  - Battle.net.exe (PID: 888)
- Reads the machine GUID from the registry
  - Battle.net-Setup.exe (PID: 4500)
  - Battle.net-Setup.exe (PID: 5764)
  - Agent.exe (PID: 5116)
  - AgentHelper.exe (PID: 4752)
  - Battle.net.exe (PID: 4944)
  - Battle.net.exe (PID: 4172)
  - Battle.net.exe (PID: 3956)
  - Battle.net.exe (PID: 6672)
  - Battle.net.exe (PID: 5848)
  - Battle.net.exe (PID: 1068)
  - Battle.net.exe (PID: 888)
  - Battle.net.exe (PID: 1880)
  - Battle.net.exe (PID: 3760)
  - SearchApp.exe (PID: 5328)
- Creates files in the program directory
  - Battle.net-Setup.exe (PID: 4500)
  - Battle.net-Setup.exe (PID: 5764)
  - Agent.exe (PID: 5564)
  - Agent.exe (PID: 5116)
  - AgentHelper.exe (PID: 4752)
- Checks proxy server information
  - Battle.net-Setup.exe (PID: 4500)
  - Battle.net-Setup.exe (PID: 5764)
  - Agent.exe (PID: 5116)
  - slui.exe (PID: 6460)
  - Battle.net.exe (PID: 4944)
- Reads the software policy settings
  - Battle.net-Setup.exe (PID: 4500)
  - Battle.net-Setup.exe (PID: 5764)
  - Agent.exe (PID: 5116)
  - AgentHelper.exe (PID: 4752)
  - slui.exe (PID: 6460)
  - Battle.net.exe (PID: 4944)
  - Battle.net.exe (PID: 3956)
  - Battle.net.exe (PID: 6672)
  - Battle.net.exe (PID: 4172)
  - Battle.net.exe (PID: 5848)
  - Battle.net.exe (PID: 888)
  - Battle.net.exe (PID: 1068)
  - Battle.net.exe (PID: 1880)
  - Battle.net.exe (PID: 3760)
  - SearchApp.exe (PID: 5328)
- Process checks computer location settings
  - Battle.net-Setup.exe (PID: 4500)
  - Agent.exe (PID: 5564)
  - Battle.net-Setup.exe (PID: 5764)
  - Agent.exe (PID: 5116)
  - SearchApp.exe (PID: 5328)
  - Battle.net.exe (PID: 4944)
  - Battle.net.exe (PID: 888)
- Creates files or folders in the user directory
  - Battle.net-Setup.exe (PID: 4500)
  - Battle.net-Setup.exe (PID: 5764)
  - Agent.exe (PID: 5116)
  - Battle.net.exe (PID: 4944)
  - Battle.net.exe (PID: 6672)
- The sample compiled with english language support
  - Battle.net-Setup.exe (PID: 5764)
  - Agent.exe (PID: 5116)
  - AgentHelper.exe (PID: 4752)
- Launching a file from a Registry key
  - Battle.net.exe (PID: 4944)
- Create files in a temporary directory
  - Battle.net.exe (PID: 4944)
- Manual execution by a user
  - chrome.exe (PID: 3160)
- Application launched itself
  - chrome.exe (PID: 3160)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:08:04 01:44:13+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.15
CodeSize:	2932736
InitializedDataSize:	1978368
UninitializedDataSize:	-
EntryPoint:	0x13b686
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.18.10.3141
ProductVersionNumber:	1.18.10.3141
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
LegalCopyright:	© 2005-2023 Blizzard Entertainment Inc.
InternalName:	Battle.net Setup
FileVersion:	1.18.10.3141
CompanyName:	Blizzard Entertainment
ProductName:	Battle.net Setup
ProductVersion:	1.18.10.3141
FileDescription:	Battle.net Setup
OriginalFileName:	Battle.net-Setup.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

182

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

888

"C:\Program Files (x86)\Battle.net\Battle.net.exe" --type=renderer --log-severity=error --user-agent-product="Battle.net/2.44.1.15492 (retail) Chrome/108.0.5359.125" --disable-spell-checking --uncaught-exception-stack-size=10 --user-data-dir="C:\Users\admin\AppData\Local\CEF\User Data" --watch-browser-pid=4944 --first-renderer-process --no-sandbox --log-file="C:\Users\admin\AppData\Local\Battle.net\Logs\libcef-20250701T045942.014030.log" --lang=ko --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4052 --field-trial-handle=2940,i,6878340517334278624,1169452365950933185,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,ForcedColors,HardwareMediaKeyHandling,WinUseBrowserSpellChecker --battle-net-helper=Battle.net.15492 /prefetch:1

C:\Program Files (x86)\Battle.net\Battle.net.exe

—

Battle.net.exe

User:

admin

Company:

Blizzard Entertainment

Integrity Level:

MEDIUM

Description:

Battle․net

Exit code:

Version:

2.44.1.15492

Modules

Images
c:\program files (x86)\battle.net\battle.net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

1068

"C:\Program Files (x86)\Battle.net\Battle.net.exe" --type=gpu-process --no-sandbox --log-severity=error --user-agent-product="Battle.net/2.44.1.15492 (retail) Chrome/108.0.5359.125" --lang=ko --user-data-dir="C:\Users\admin\AppData\Local\CEF\User Data" --watch-browser-pid=4944 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\admin\AppData\Local\Battle.net\Logs\libcef-20250701T045942.014030.log" --mojo-platform-channel-handle=3992 --field-trial-handle=2940,i,6878340517334278624,1169452365950933185,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,ForcedColors,HardwareMediaKeyHandling,WinUseBrowserSpellChecker /prefetch:2 --battle-net-helper=Battle.net.15492

C:\Program Files (x86)\Battle.net\Battle.net.exe

Battle.net.exe

User:

admin

Company:

Blizzard Entertainment

Integrity Level:

MEDIUM

Description:

Battle․net

Exit code:

Version:

2.44.1.15492

Modules

Images
c:\program files (x86)\battle.net\battle.net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

1352

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=3788,i,12125815392164362591,13121075604119292790,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=4976 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1520

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1976,i,12125815392164362591,13121075604119292790,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=1964 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1880

"C:\Program Files (x86)\Battle.net\Battle.net.exe" --type=gpu-process --no-sandbox --log-severity=error --user-agent-product="Battle.net/2.44.1.15492 (retail) Chrome/108.0.5359.125" --lang=ko --user-data-dir="C:\Users\admin\AppData\Local\CEF\User Data" --watch-browser-pid=4944 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Users\admin\AppData\Local\Battle.net\Logs\libcef-20250701T045942.014030.log" --mojo-platform-channel-handle=4356 --field-trial-handle=2940,i,6878340517334278624,1169452365950933185,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,ForcedColors,HardwareMediaKeyHandling,WinUseBrowserSpellChecker /prefetch:2 --battle-net-helper=Battle.net.15492

C:\Program Files (x86)\Battle.net\Battle.net.exe

Battle.net.exe

User:

admin

Company:

Blizzard Entertainment

Integrity Level:

MEDIUM

Description:

Battle․net

Exit code:

Version:

2.44.1.15492

Modules

Images
c:\program files (x86)\battle.net\battle.net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

2200

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2368

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=5084,i,12125815392164362591,13121075604119292790,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=5068 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

3160

"C:\Program Files\Google\Chrome\Application\chrome.exe" "--disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints"

C:\Program Files\Google\Chrome\Application\chrome.exe

explorer.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

3540

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=2256,i,12125815392164362591,13121075604119292790,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=2260 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

3748

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,12125815392164362591,13121075604119292790,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=3204 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

Add for printing

Total events

57 522

Read events

57 368

Write events

126

Delete events

Modification events


(PID) Process:	(4500) Battle.net-Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Blizzard Entertainment\Blizzard Error
Operation:	write	Name:	UserUUID
Value: 7FD31F8C-5B1C-4F8F-849B-4239A2CCC98E
(PID) Process:	(4500) Battle.net-Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Blizzard Entertainment\Launcher
Operation:	write	Name:	Locale
Value: koKR
(PID) Process:	(5116) Agent.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Xbox\GamingApp\Extensions\Data\XPDM5VSMTKQLBJ
Operation:	write	Name:	State
Value: 0
(PID) Process:	(5116) Agent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{257A53D9-0BBB-476B-9500-A888092E0260}
Operation:	write	Name:	AppId
Value: {257A53D9-0BBB-476B-9500-A888092E0260}
(PID) Process:	(5116) Agent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{257A53D9-0BBB-476B-9500-A888092E0260}
Operation:	write	Name:	AppIdFlags
Value: 0
(PID) Process:	(5116) Agent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{257A53D9-0BBB-476B-9500-A888092E0260}
Operation:	write	Name:	RunAs
Value: Interactive User
(PID) Process:	(5116) Agent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{257A53D9-0BBB-476B-9500-A888092E0260}
Operation:	write	Name:	LaunchPermission
Value: 0100148094000000A0000000140000003000000002001C000100000011001400040000000101000000000010001000000200640003000000000014000B000000010100000000000100000000000018000B000000010200000000000F0200000001000000000030000B000000010800000000000F0200000076C8B566B196B8807BDF0386522D4758FA9855746BD04DA4099286D401010000000000050A00000001020000000000052000000021020000
(PID) Process:	(5116) Agent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{257A53D9-0BBB-476B-9500-A888092E0260}
Operation:	write	Name:	AccessPermission
Value: 0100148094000000A0000000140000003000000002001C000100000011001400040000000101000000000010001000000200640003000000000014000B000000010100000000000100000000000018000B000000010200000000000F0200000001000000000030000B000000010800000000000F0200000076C8B566B196B8807BDF0386522D4758FA9855746BD04DA4099286D401010000000000050A00000001020000000000052000000021020000
(PID) Process:	(5116) Agent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Xbox\GamingApp\Extensions\Data\XPDM5VSMTKQLBJ
Operation:	write	Name:	ExtensionType
Value: 0
(PID) Process:	(5116) Agent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Xbox\GamingApp\Extensions\Data\XPDM5VSMTKQLBJ
Operation:	write	Name:	Name
Value: Battle.net App Xbox Extension

Add for printing

Executable files

155

Suspicious files

981

Text files

847

Unknown types

Dropped files

PID	Process	Filename		Type
5764	Battle.net-Setup.exe	C:\ProgramData\Battle.net\Agent\..LICENSES.14.5764.temp.15.5764.temp.temp		text
		MD5:835AE7FB6E7733264A44F792CA33FB2B	SHA256:7CB852F64FB8C7BDE31B53CF7BD5C68EC50EBA128054DD3646C8A2C73B331162
5764	Battle.net-Setup.exe	C:\ProgramData\Battle.net\Agent\.LICENSES.16.5764.temp		text
		MD5:835AE7FB6E7733264A44F792CA33FB2B	SHA256:7CB852F64FB8C7BDE31B53CF7BD5C68EC50EBA128054DD3646C8A2C73B331162
4500	Battle.net-Setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5		der
		MD5:67E74FAF4D9E259649B5A03A2D7D56F7	SHA256:218C680187791D2217E04C5D9A2481B19F507197179F2071B306B16E1C18BDC4
5764	Battle.net-Setup.exe	C:\ProgramData\Battle.net\Setup\bna_2\Logs\battle.net-setup-20250701T045814.log		text
		MD5:30071DEC253F6D331DBE0931A2CF650E	SHA256:39E82B63CDBB078F7E87905961DE507AE97E912A858262932071E89CC6E636DC
4500	Battle.net-Setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5		binary
		MD5:7240D2C497330F00F45E9DF15650949C	SHA256:B20D6E5314A92316F64B7C57878274308ADCAA208B2A5BB7631AC07155B44A75
5764	Battle.net-Setup.exe	C:\ProgramData\Battle.net\Agent\.LICENSES.14.5764.temp		binary
		MD5:A7279912EBA47364A179ABF6F247E929	SHA256:44C68CDCDCB51EA109D9979F2A812F30757E4A20EFAF12DE95F769BADB7DBD76
5764	Battle.net-Setup.exe	C:\ProgramData\Battle.net\Agent\Agent.9166\.Agent.exe.19.5764.temp		executable
		MD5:2B9580C3FC3E06F5BBB05597951B449E	SHA256:402E0FA8C541614D8A7B812860B8AE97DC59AC1A0FB4D45817ED7FCB66716B69
5764	Battle.net-Setup.exe	C:\ProgramData\Battle.net\Agent\.Blizzard Uninstaller.exe.11.5764.temp		binary
		MD5:39BDB3BFAF3ED89FAD4865E7C70BCA6E	SHA256:44EBF0CB8E9E3148A57E8767D3A0EAA46CD0180137237B7771FB62E2E9E75DD8
5764	Battle.net-Setup.exe	C:\ProgramData\Battle.net\Agent\Agent.9166\.Agent.exe.17.5764.temp		binary
		MD5:D70AB641D80E69ED8B51719D3F043EBE	SHA256:C199398221159601E75DB994215FC740EA1537E020082E58B8B707292E6BA9C0
5764	Battle.net-Setup.exe	C:\ProgramData\Battle.net\Agent\..AgentHelper.exe.20.5764.temp.21.5764.temp		executable
		MD5:5FAAADC3CAEB3FD98EC46E4552721911	SHA256:47AF3FB10B2C1CD7A137CF68016AB7485F67D8067755E1F946439F36EC8D19AB

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

292

TCP/UDP connections

261

DNS requests

132

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4500	Battle.net-Setup.exe	GET	204	34.255.143.229:80	http://nydus.battle.net/geoip	unknown	—	—	whitelisted
892	svchost.exe	GET	200	2.22.98.7:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4500	Battle.net-Setup.exe	POST	—	66.40.185.57:3724	http://iir.blizzard.com:3724/submit/BNET_APP	unknown	—	—	whitelisted
4500	Battle.net-Setup.exe	POST	—	66.40.185.57:3724	http://iir.blizzard.com:3724/submit/BNET_APP	unknown	—	—	whitelisted
3756	SIHClient.exe	GET	200	173.223.117.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
3756	SIHClient.exe	GET	200	173.223.117.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
4500	Battle.net-Setup.exe	POST	—	66.40.185.57:3724	http://iir.blizzard.com:3724/submit/BNET_APP	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	173.223.117.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5764	Battle.net-Setup.exe	POST	—	66.40.185.57:3724	http://iir.blizzard.com:3724/submit/BNET_APP	unknown	—	—	whitelisted
4500	Battle.net-Setup.exe	GET	200	2.22.98.7:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAxEIEg8DxEkiqu7bqioboI%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4708	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4500	Battle.net-Setup.exe	34.255.143.229:80	nydus.battle.net	AMAZON-02	IE	whitelisted
4500	Battle.net-Setup.exe	66.40.185.57:3724	iir.blizzard.com	—	US	whitelisted
2336	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
892	svchost.exe	20.190.160.130:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
892	svchost.exe	2.22.98.7:80	ocsp.digicert.com	AKAMAI-AS	GB	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
google.com	142.250.186.46	whitelisted
nydus.battle.net	34.255.143.229 54.76.17.58	whitelisted
iir.blizzard.com	66.40.185.57	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
login.live.com	20.190.160.130 20.190.160.65 20.190.160.66 40.126.32.136 20.190.160.22 20.190.160.64 20.190.160.14 40.126.32.138 20.190.160.20 20.190.160.128 20.190.160.2 40.126.32.134 40.126.32.74	whitelisted
ocsp.digicert.com	2.22.98.7 2.23.77.188	whitelisted
nexusrules.officeapps.live.com	52.111.229.48	whitelisted
crl.microsoft.com	2.20.245.136 2.20.245.139	whitelisted
www.microsoft.com	173.223.117.131	whitelisted

Threats

PID	Process	Class	Message
4500	Battle.net-Setup.exe	Potential Corporate Privacy Violation	ET INFO GeoIP Lookup (nydus.battle.net)
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
5764	Battle.net-Setup.exe	Potential Corporate Privacy Violation	ET INFO GeoIP Lookup (nydus.battle.net)
5116	Agent.exe	A Network Trojan was detected	ET USER_AGENTS Suspicious User Agent (agent)
5116	Agent.exe	A Network Trojan was detected	ET USER_AGENTS Suspicious User Agent (agent)
2200	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
—	—	Potentially Bad Traffic	ET INFO Referrer-Policy set to unsafe-url
—	—	Potentially Bad Traffic	ET INFO Referrer-Policy set to unsafe-url
—	—	Potentially Bad Traffic	ET INFO Referrer-Policy set to unsafe-url
—	—	Potentially Bad Traffic	ET INFO Referrer-Policy set to unsafe-url

Add for printing

Process	Message
Battle.net.exe	[0701/045942.664:ERROR:angle_platform_impl.cc(43)] RendererVk.cpp:144 (VerifyExtensionsPresent): Extension not supported: VK_KHR_win32_surface
Battle.net.exe	[0701/045942.664:ERROR:gl_display.cc(508)] EGL Driver message (Critical) eglInitialize: Internal Vulkan error (-7): A requested extension is not supported, in ..\..\third_party\angle\src\libANGLE\renderer\vulkan\RendererVk.cpp, initialize:1594.
Battle.net.exe	[0701/045942.664:ERROR:gl_display.cc(920)] eglInitialize SwANGLE failed with error EGL_NOT_INITIALIZED
Battle.net.exe	[0701/045942.664:ERROR:angle_platform_impl.cc(43)] Display.cpp:1004 (initialize): ANGLE Display::initialize error 0: Internal Vulkan error (-7): A requested extension is not supported, in ..\..\third_party\angle\src\libANGLE\renderer\vulkan\RendererVk.cpp, initialize:1594.
Battle.net.exe	[0701/045942.664:ERROR:viz_main_impl.cc(186)] Exiting GPU process due to errors during initialization
Battle.net.exe	[0701/045942.664:ERROR:angle_platform_impl.cc(43)] RendererVk.cpp:144 (VerifyExtensionsPresent): Extension not supported: VK_KHR_surface
Battle.net.exe	[0701/045942.664:ERROR:gl_initializer_win.cc(133)] GLDisplayEGL::Initialize failed.
Battle.net.exe	[0701/045943.086:ERROR:angle_platform_impl.cc(43)] RendererVk.cpp:144 (VerifyExtensionsPresent): Extension not supported: VK_KHR_surface
Battle.net.exe	[0701/045943.086:ERROR:angle_platform_impl.cc(43)] RendererVk.cpp:144 (VerifyExtensionsPresent): Extension not supported: VK_KHR_win32_surface
Battle.net.exe	[0701/045943.086:ERROR:angle_platform_impl.cc(43)] Display.cpp:1004 (initialize): ANGLE Display::initialize error 0: Internal Vulkan error (-7): A requested extension is not supported, in ..\..\third_party\angle\src\libANGLE\renderer\vulkan\RendererVk.cpp, initialize:1594.

General Info

Battle.net-Setup.exe

F7FE24CEBBC4B0332C77BCE563E11B1D

744968C9193E5A1B96941695600D3770E61A6FFA

002F33FEE7B8A159058368B7E93E492931C4CA72E90660BDB2691BCD62FEDD3C

98304:sdpEDlZPq7VZYLwZ6SbP+04w1n+5aSdNbgl8LoA94D1PfjWEeJfZX/BufZdERaQP:jqO

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

SUSPICIOUS

Connects to unusual port

Checks for external IP

Reads security settings of Internet Explorer

Potential Corporate Privacy Violation

Executable content was dropped or overwritten

Application launched itself

The process drops C-runtime libraries

Process drops legitimate windows executable

Creates a software uninstall entry

Adds/modifies Windows certificates

Searches for installed software

Detected use of alternative data streams (AltDS)

There is functionality for taking screenshot (YARA)

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Creates files in the program directory

Checks proxy server information

Reads the software policy settings

Process checks computer location settings

Creates files or folders in the user directory

The sample compiled with english language support

Launching a file from a Registry key

Create files in a temporary directory

Manual execution by a user

Application launched itself

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats