Malware analysis Battle.net-Setup.exe Malicious activity

Add for printing

File name:	Battle.net-Setup.exe
Full analysis:	https://app.any.run/tasks/8d70b8f7-f799-46e7-be50-9ee05172d476
Verdict:	Malicious activity
Analysis date:	November 26, 2024, 18:55:48
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	F7FE24CEBBC4B0332C77BCE563E11B1D
SHA1:	744968C9193E5A1B96941695600D3770E61A6FFA
SHA256:	002F33FEE7B8A159058368B7E93E492931C4CA72E90660BDB2691BCD62FEDD3C
SSDEEP:	98304:sdpEDlZPq7VZYLwZ6SbP+04w1n+5aSdNbgl8LoA94D1PfjWEeJfZX/BufZdERaQP:jqO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Connects to unusual port
  - Battle.net-Setup.exe (PID: 5404)
  - Battle.net-Setup.exe (PID: 6712)
  - Agent.exe (PID: 7060)
- Application launched itself
  - Battle.net-Setup.exe (PID: 5404)
- Potential Corporate Privacy Violation
  - Battle.net-Setup.exe (PID: 6712)
  - Battle.net-Setup.exe (PID: 5404)
- Executable content was dropped or overwritten
  - Battle.net-Setup.exe (PID: 6712)
  - Agent.exe (PID: 7060)
  - AgentHelper.exe (PID: 4164)
- Checks for external IP
  - Battle.net-Setup.exe (PID: 5404)
  - Battle.net-Setup.exe (PID: 6712)
- The process drops C-runtime libraries
  - Agent.exe (PID: 7060)
- Process drops legitimate windows executable
  - Agent.exe (PID: 7060)
INFO
- Checks supported languages
  - Battle.net-Setup.exe (PID: 5404)
- Checks proxy server information
  - Battle.net-Setup.exe (PID: 5404)
- Reads the machine GUID from the registry
  - Battle.net-Setup.exe (PID: 5404)
- Reads the computer name
  - Battle.net-Setup.exe (PID: 5404)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:08:04 01:44:13+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.15
CodeSize:	2932736
InitializedDataSize:	1978368
UninitializedDataSize:	-
EntryPoint:	0x13b686
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.18.10.3141
ProductVersionNumber:	1.18.10.3141
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
LegalCopyright:	© 2005-2023 Blizzard Entertainment Inc.
InternalName:	Battle.net Setup
FileVersion:	1.18.10.3141
CompanyName:	Blizzard Entertainment
ProductName:	Battle.net Setup
ProductVersion:	1.18.10.3141
FileDescription:	Battle.net Setup
OriginalFileName:	Battle.net-Setup.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

134

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

4164

"C:\ProgramData\Battle.net\Agent\AgentHelper.exe" --install --target=C:/ProgramData/Battle.net_components/battlenet_helpersvc/AgentHelper.exe

C:\ProgramData\Battle.net\Agent\AgentHelper.exe

Agent.exe

User:

admin

Company:

Blizzard Entertainment

Integrity Level:

HIGH

Description:

Battle.net Admin Agent

Exit code:

Version:

2.36.3.8916

Modules

Images
c:\programdata\battle.net\agent\agenthelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

5404

"C:\Users\admin\AppData\Local\Temp\Battle.net-Setup.exe"

C:\Users\admin\AppData\Local\Temp\Battle.net-Setup.exe

explorer.exe

User:

admin

Company:

Blizzard Entertainment

Integrity Level:

MEDIUM

Description:

Battle.net Setup

Exit code:

Version:

1.18.10.3141

Modules

Images
c:\users\admin\appdata\local\temp\battle.net-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\rpcrt4.dll

5728

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

AgentHelper.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6712

"C:\Users\admin\AppData\Local\Temp\Battle.net-Setup.exe" --cmdver=2 --elevated --locale=enUS --mode=setup --session=7489082420640446351

C:\Users\admin\AppData\Local\Temp\Battle.net-Setup.exe

Battle.net-Setup.exe

User:

admin

Company:

Blizzard Entertainment

Integrity Level:

HIGH

Description:

Battle.net Setup

Version:

1.18.10.3141

Modules

Images
c:\users\admin\appdata\local\temp\battle.net-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\rpcrt4.dll

7020

"C:\ProgramData\Battle.net\Agent\Agent.exe" --locale=enUS --session=7489082420640446351

C:\ProgramData\Battle.net\Agent\Agent.exe

—

Battle.net-Setup.exe

User:

admin

Company:

Blizzard Entertainment

Integrity Level:

HIGH

Description:

Battle.net File Switcher

Exit code:

Version:

2.36.3.8916

Modules

Images
c:\programdata\battle.net\agent\agent.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

7060

"C:\ProgramData\Battle.net\Agent\Agent.8916\Agent.exe" --locale=enUS --session=7489082420640446351

C:\ProgramData\Battle.net\Agent\Agent.8916\Agent.exe

Agent.exe

User:

admin

Company:

Blizzard Entertainment

Integrity Level:

HIGH

Description:

Battle.net Update Agent

Version:

2.36.3.8916

Modules

Images
c:\programdata\battle.net\agent\agent.8916\agent.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\wintrust.dll

7068

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

Agent.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

16 902

Read events

16 890

Write events

Delete events

Modification events


(PID) Process:	(5404) Battle.net-Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Blizzard Entertainment\Blizzard Error
Operation:	write	Name:	UserUUID
Value: A9F5FF70-F609-4949-91A9-06A78724F79D
(PID) Process:	(5404) Battle.net-Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Blizzard Entertainment\Launcher
Operation:	write	Name:	Locale
Value: enUS
(PID) Process:	(7060) Agent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
Operation:	delete value	Name:	1902AFBF32C9B053C0614F8AC421D2A7A9B7039D
Value:
(PID) Process:	(7060) Agent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1902AFBF32C9B053C0614F8AC421D2A7A9B7039D
Operation:	write	Name:	Blob
Value: 0300000001000000140000001902AFBF32C9B053C0614F8AC421D2A7A9B7039D2000000001000000DA050000308205D6308203BEA003020102020305CF5E300D06092A864886F70D01010B0500308192310B30090603550406130255533113301106035504080C0A43616C69666F726E6961310F300D06035504070C06497276696E65311F301D060355040A0C16426C697A7A61726420456E7465727461696E6D656E7431133011060355040B0C0A426174746C652E6E65743127302506035504030C1E426C697A7A61726420426174746C652E6E6574204C6F63616C2043657274301E170D3234313132363138353631375A170D3334313132343138353631375A308192310B30090603550406130255533113301106035504080C0A43616C69666F726E6961310F300D06035504070C06497276696E65311F301D060355040A0C16426C697A7A61726420456E7465727461696E6D656E7431133011060355040B0C0A426174746C652E6E65743127302506035504030C1E426C697A7A61726420426174746C652E6E6574204C6F63616C204365727430820222300D06092A864886F70D01010105000382020F003082020A0282020100DA2E0B164D33B6536908FD485DBD8BEA65E3E1B91318F0685FDB2006103D5BD1E5F0473FDB5018AA12C365C06F1801DA03C9040C3E7DCEEE7E8A1ABE60B7002D039E8569C0A95278952E2A4880D27C49F2914C58FF78D3528B4CE04A3BE561381B40787AC8038CB8A5F061F9199625C952E31D13418AAB71FAE92DEF7A9606BBA47D9EDB7F5D3BF7F374A929FD8BFEB99989E1293D76824A36C241BFB502E82CEF18B8C532754324162788CD9B179C4C73AFD3D40EE0D1B437841FD49869764A0594D245AEC25C682A5F108BC944866342D00ACE8E0AE2FAE3E27AB9AEEA79E44700CA1C17CAF7F4E8373A7CCCC21692920660E3FBE853DC38540287E327FE2C7B1719FB3F8260915B197667BE9F33AD2766765F956421BA9306310F38A640CEA62AC1E21CBC3D706C19DBEA4F08E85180C02EAAFC115C6F9579FE96CEA23246C0E2CF878036AF161DC4FF267EFD4607F586513ECE739B09C519EAE6EFEEAAE961D4CB860C00931DA6178D2964B3E1D83EABF53CA3477ED6FDB833B2BD551DF9EBCD856C9F0EEA13B400F92D6CF923DEAAECEB7CC212E905B8C350C9CFE4110F22F6765748833EC47B2875EE5AF3070970844F6C5FE74EDF07548180038E54A54287EA20DDD265EABFFE4623BDF257C842F879A4519D1D7C6A080DAC2E5476C6C448A3923515FB90EE5D0123092A3D60D6A9B76EA91725D863987A480FF1D5310203010001A333303130130603551D25040C300A06082B06010505070301301A0603551D1104133011820F6C6F63616C626174746C652E6E6574300D06092A864886F70D01010B0500038202010082CE968025DECC4D0DE48574DD05282E925EDB14217EABF2C356EFE7E4A430E284B2A487916E7D141978A5F52AC1289D64CB2269A47AE075425A7A14BBF7A488DF7C2776C93CDAAC7FA53FF0DD1FFEE4951C801D09EC5FB58DDC7456BFD671963C7683B9E846A3E29F16E50A04ADA3C94D848009E9C06E7630852D4E3B3A14437F7610B93D45BFA5B47CBBCBBD2E06FEA027373E366E46C7B09D95DF5FE0835BF8B3DA039E08E25BF79E1787C6183FC3A8C1B5FF4AFF9308D027A793FF76B910BC6F520C36A097752D5504B28CCA6086B42E3FB9FCA5E381AD6CC7F2A477AA82A2D3FFFE420C9BE2AAA3D31D9E5F87E111D34AC7728A0A4A5ADF76F1E914A6B84E727F94F3C2DA04A31DE2165B0F266C6EFBA946C54CD3C515193988DEFDDEF35EFCB79B57E1891E2DDF14BDE0F72B759085F5452BA1BDE1C0F5C3F5287483CC1FDCF62472A9D4B0368229F55D071AA70D499397A6372EC27F6B593276A53D27BB436837B684688B379E425DF15DA92B0DAFA85DCE812AB89848342DA2F5F71B7F9071DDB9CCA2CEA7F41DA203FED61ED64036D08F39D5E39883EF610001CCB112A81FA2374EB23E860F80B581CA21C747FE960B2445FB018CD5B7AB99A39C52656A9471A03E0E75D4C335F27B5D26A2C8B8AFF30F40CB29CBD8F59589E1648DCC36C92084DE5AF5AD0BCA924FABAB9C7D9A4374AD96C7E49F7D0E5CBC6C4389
(PID) Process:	(7060) Agent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Blizzard Entertainment\Battle.net
Operation:	write	Name:	LocalBattlenetCertificate
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB010000000596EBDEB9366D428D3E97E4F4EFC1180400000002000000000010660000000100002000000006E72CC6ADDFBBA834B49A8F44AE7EEECD727FA5444595B8F19D16B3282745DB000000000E8000000002000020000000DDAB7F523C41F3489BA596D1B26269A8674A06366C56FFFC76EC4A992796D1AB300800003722E0F9AB67FD44ADA8B29C4ED4A699AA56B4907A21A4DAB150ECCDFB7C1E6019DDB1E19080B1286244116F2C6301A1B34570DD8667FB1D742B43C07717EDD03BF8AEA8A0ABE7A3B8616F5ABBE06188E28D8AFEB4D21E36FDE0D052DA647D963E810966150884BCE2CF1FFEBB7B4023AB4708C594C84F1AE87EB309797F133C210B8169F55D6267799A346096FA38FDB19F7C076F94FFC3C452319A344BAF447F5DF39A69F21F7403B327E88EA7F8EE423C3657B5AA4618CA58E715BE5AB79FF2CB55636DDA4FA846C66FCEE5D7AA19032E7D14FEDC949FB7FAB8F1E418FB4DA12FBACFEC19C01AC8489F68C70AD13ED76E67504C528E1EE3101F91B51AC2C2D44D03F2EB58FD12E6C47FCD9965BF2D13672D56664D75F7A47D1C02871BBBE7521977C0A721A184166514A5A3670AEACF50AC27DB2E2EE88C7B1E44B1728579D231BE77FBC9B5AF997BB0E9BA53DBA9B29F9E57537069823634DBE38DEB08A5389DE3F0157A9ABD444DE1C05C11BD27B11F0A7E8C111BE3656357FE043EAF9F4E2877B7DAC9F4410B2B40BCF13BDFE8BE29C400DDAF5E66F18711CB4B814486284A5066AAFE7EFE8DED0218280A3C3B6ECA67C5E52192B04E8430A7258F837EA433B7D3B94294D4F7A2C2DBB6DEBF9848870A7B5CFB58B0DE183FD19835FF9D31DA0C87D1654AE01FB7025B530521FC30D0A0D594B0F638DB6AA1425FDEE2D5B7412A38D39CF22DE3F4EC96764B9048EE5D7B824B441529B18CDAFF22C664191497C04CFE8A6D76EC7BD078049943E97B1FAA54D56EC5204DE257C7B22199306FC7DBA866F46B9F1A2C6658471BDD4BB287693765D2F123D7EC0E5076399EC2757BE0FD71D5FB907A03A3AF2DBB74BC2F8C9300F89E2B1D356F6F2BD3385EA6758807C4026F14D413432E25A45B862383D9EF322D50E401BF76245EBF22483EC9782E01FCFC3387A089239E2884A7C133E2300047E379BFDFC16CCFCA4A606E8DC7E5E0DDEE49DAED442FF45ABD4FFB6C8AB91024443F7A3BC33A6553134D5226CBBEE6BB74E00C934B6B00A2747DF7876A54906CDD16AA4ADEBD4A60DF2EBF889152F860883DC40EDC5D0A33B25D1C8D51C0E8EB8706072CA5BA49CE8BA7524D227B925AB665385589CBE21909494AD4B7D6CF11D27A4EBBC9481510A5EC7F97EA10A5B60FB43674E2FACB9880AE61FD236335D787B184F7F303FDC8C9484FF489328D66DF33FB2DE96E1047B04046B6743862E1A7C400F70DE00077DD22531C84CF42FC491DE33596C9446AEBCD9390CEAB916D185CFB860D39408BAA18561D730796EEC1E89898CB1F21FDB285293662A4E21925CF531B0CAC5CC87A6E006FC5F86AC933E70FE8E1596D9E82CB4805A5A03DCFE42D9AADAAA42B2F5544F438903E02FEA54DD211B36581CE5CFDD7777AEA1997FD0A89F4CB44F821ADC0A4848E1A094E53358C64DD0186797466F20224C4F37CF56828DA3F01EA42A0D507080B9CFC515B4E0D40DB934355444D85DA214C12D575846F66E6D27DBF84ABA460825F8B5E0B3F4B8686359DCAAB54484461446EA90774CA4A25D642E1F9BC1AA2C6C8B589F881F84E84DD8C4962A9CD91F5C88ABDEAFE0C4359111D2DA99C762FE0AA693DD2E9376560B598544D5B42F5C306B8C5C9C801F20F24872F645766E89241D205357809607CC9DF73C6FA2E54F34607312A4ACA204370FB0D05097C8314F042BFE163A5F976544095FF38E29573A050FF7B1A0627E6494219A6A9CAE1881C94A707C6B5264414342CDAE3E1D07E133EDDA87EF16715F65427F7D6D49AD4A55C04114CC11B1F818F81F87AFD402C0858A0C88D54328701ABF5D3A75597C76CFC0BD0C2A5282A76DBBFCD50B22F9F917096B9CF39DC7509EFAB7004253D05D8D7CA82723C462E6281242E5987553DC73A343707CE237D7DDEE28429761992B7342842D5115E4F91D65CC9E9242F6FE8A9BB0073064D509EE23F1EDC0D7A180B6AA4C4170DEFDB7421908383910AA2B677A9135F33D3933B1C33C18D85C3E1652B979B447D00CC7B8EB9FA7B5822912AEE5296568FF325037DA9E0F8D301092985DF40D43F6BDA54A0FFD2F0A68694448A1DB12964EC83128853D8B0F10116CBAA2666830D742901E2C6E135508173B48915120A666496F129ACFE6253BDB8F0A5CB794661AFFB9DCF8660397C05CA709A430F1417DAC435419A29DDBA9FF248B26CC37BBE516AD496A6AA8A0550D9849D1AA54D2FDB40A2F3B8F6DCFF53695ABF58E98E8417C2F23D1EB0746642E9824AECEC63CF10C4BB7C5BFCDFDFCC117E642862E601E6C2A73FFD6A5C774B17265B5B37EA58885DFC260BF60A1B918E7A2DCB1299744D7F8363AB57B399B237757360E64B6923B83ACF2CEC452AA2B737779B4CC9F99E1259BC72003544B596CECF3579D0FF027EBD63F3D03F67F428428D02E5B063811B2AF4BD22EB6129A1C79FAC88735514F57AF56F40020380A55759232C39C7C067EA29FB21A5DA652DEAABC91BC079AEC1767E5188C1F6A0B978DB28DA2B5C9D1C6C555D0B69A26745477E581A68879F99E1315F6716885CF2D34E3FC4D0039F8C24E61B6151FC7F9CDFA8A4935970725591978C920DFE26E7F7E42606429B6E7FA4B87008391595EA12CA72DBD68340E55FB5211F68B9CA9C4B366E228B88B958A6EBCD105B33CF24567A88331415F70382EAA077A3772F84D8F5F3AA321A9E08DA3195575B1DE980806D90F8B9749681F168D3A0F4476121F832BFF2EF64D163F1C951FC5E3D20060A750B6721728F09C53FE8AE9FED784F2FE94801828F89872701BC6D21DEE39D3CB8CD84D77F27BBA0C80E659857527AE5B39B7BBE347382ED0EA35CE18F46AD5911457B309A0079B8AD918C73C5FFB9BEBF49DBE389DB97E2C857D378E8719D74865C22EA9795B1B14D53010E6E31AA20D376856286833D4ABDDB38CE1640000000341F6F1CEDA3CB6F469AAE04CFF8B72A675A11B7FD235BD4869C3A98705216A87429E5F1DC347FAB2BB72F5E898AE8EB76F9F5396EAD3FFE7DFC47FEF0A27B2A
(PID) Process:	(7060) Agent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Blizzard Entertainment\Battle.net
Operation:	write	Name:	LocalBattlenetPrivateKey
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB010000000596EBDEB9366D428D3E97E4F4EFC118040000000200000000001066000000010000200000009619EC3350DCA1041BA4B61FDD26D702A33DC4AA8FA8AB83429EDE2522452FE6000000000E80000000020000200000008BDC871430445EADCDABDAD1FDE8CCD0D3E08C69EEB53DDAE0B3FF8581B293FCD00C0000477AFC482D03404009A6AF638C9B8C434DAA77B7500CB84000247603C60BDFFB70CC641DD19DB411A1DA0F886E4862B2E9AD316D43426AB40F2D0A5686A0D898869D94A547B58CF2D8D67FA40E09B8C790C21E04D0C762222DFF5210B097BAF0E2B8E0C56D5C1F1B381CB5432D3CF771B9E303DAD09C9A9989EEC1439CEF2363517CC886851643900EF43631E598C6A91CE7101B8DCF4BFB2C14AC808DCEDFC31B0213178936A46E625F16AB4317EAAFDCAD3E23188F96246D98D763B8A1B0FF0225042712CD04158EEFA632E113C6B6B142DE6E48F8569A2790F48538AD3F8402867A34260DDF2660F0650B11CCBB986411AB8D5AF60D7F2805AE104A1A145D554D8A6AA9B4F9D55722D7042FAA1E06164B0BF6EFFB2D0CC90E2C2BB0FF13D18363FB26D2DB7890FDA27D39436D700AF19EB1424002ACCA73DA237290229E70D97CA26393451883D50685DA27CBCE017B28D09BD958B334013F39D9D1403E0519826FD530EDFC683EB975223A7284CFDEA90979485759FF92D2D211E5B3881253D1628F6D6D77965FBA3E53FE49CC54116E3579B663FA7C8BECDF3BCCD9CC1CDB54959DADF924B162AA835B33A34C73BC9BB16B473889805928821F58E04490EA29556AFD770C08694C8099DF364BF99BBE81C8BA3D4DA4CC1E7CA0F6E8DC23D347FA49DC18572B91BC00B92657EDE6DB7C5E098A8C343EEBDB7B113A6C3FBA0F82D26CB6342C4530A91692EC1427BA5D87A7E885EC212D66E87F16AD45E4725B9C482B93A61D7D298B890C6CBD61BD491F132E746933ABB2323DE2D1DCC5D6BB8CC84E181274E991C3473359DEE6CF26E54C356B1F46D50326BBDA2776437E012F4DE0B60F3A1DFAB7EF9C747D502FF53771EEC7C7D8C9C65B623F665A073DD836525EBEB0C486B0DD1105D9B8ABAB1C23D209B2ECB5B6D03E374FAF36C06C42F4E9DAD38087B6470EB100CE1A9BD0DC6E958C3064DFD705F816B2A4BF67903B49889846B656FB5F2B10871CD9A62C7C338984780150C912873240F226E4002A35133F88664A01839698A6C54C8F45D846D12C85B350EEDFD1F8C86FBED8C239CF3FDFDAAAAB948A7A2B202300C707C1E927A155CBCC4668608A138A1F2C72BDD25FE246C29D45BCEF84BC5735047C8182D04A701A6AB18B66DD6C61059C48BD57149C4BB0ADBBF827511043570B1C619E3A8EBDC31A800D1AC2C203775524800348FCE823B505E3B8A186ABD9423E1F3514EC0C27FA208739A18EDD4D7799A8A6579B0BF02A62A95035857016FAE5FF4C607E33B67FF8DAB590B325F8DF4EB957BDF60E78934F86E1CD5BF3DECB3713CADBE5B4762982E7E5D6BC3A3EACDD5D2E9B4B869BA6721CB01AB7BE5A89D95CB7AB9A93F7C8D472E40CF926974EE478289C70B522FC267F3347C330C8D55A1A4183E0A973A17D30F475A2819C8C6F70DD5493956080F05252DBB32C56A17CC79A4EDAEA10CE0EC170D68986DE2A1DD6C2C2A0B852478D5DA5E80C24FCBEE31F5DD22B216A40294CF2C8EDBF51D6035DDD573FBBDBEF4D3A8A1A6811F76E92A71319018D066C59CCD9BD3E655990EB6453CF373BD33C52E7102AA8B38C60D24A3C1A5708644D1D1204E7298732954D7796CE781EA859CDFDAAFE78C1EC11E69AB276ACB27678F3E16BFCEAAC63AC87CD8A402CB5E56337DDF9FA64328DD5890DE7CC5E464F97185433366DC177F7165BEB72FAAFCB76E1AD8CEA651977420D46864720A36E6C6F6254A9AF1FE8E5472B8651245F0F097F7C201B64AD7F3AF2A0090C40205018F493F84C32625F00EA27F8A6E68EEC355E5D26FF6C4B1F81ED1E14DFC53187C7602C1FDD73AEF487F2B896F9F2DA20CCE923A12CA7C8230889776B50F408CBD793E81E80CB45BF41ECECF555578C5A16372CF8B5247096471F8CB6FFAC880E398DB3D4D41B6B6138BE4A84AE3303A8B6680712373D76CB61A12084FC12B4A548071C4A8532C2A137158206BA5ADE3F5CED758A0CC26148310480831D781F5692DBB9468F18FE23468E5DC0ECA305E7DB0CDF3EEAF556026FAAD7E1D0CA62D51D494F61B87D2C4E075CA33DFB9CF122D09752BBE044012B087AB3E7EDC1EBA69ECABDC09B25BC5C46E5FFA30B31C954D3456C944691D1E447D6D088459ED515481BADA9D78B042DABB3EDDD7774EA151A2F42035C1C66947DBE85346651EFA7BD2427300F85B4F0455EC063FD0A6CAD6D54EF715A383F1EF222DD06BA1A251DA49E806A724727224BA8EA36F5BB753D8B769A42A5C609C1B964BC50DBAE79E59EF226437F3FF4BC1F76FD9189546DA391C2BC7232E9B50578FDCC99F6049C087BD3E9A1499D15FBE03FE90C95A19605CC66908EC7778F9AD80903136CCB719FA57087836731DED87BC564068D0C80414F511EEE856D0CE8D161BA531004D72004F4938F6A58A0606EDB20959AF864574C4DA979562E7A7CA198056C4AB77D2863856A573D0546EF4781A08D4ED09C4C27290125F97606350F47DF46163EDC15E9976F0F569C47CBED686D7A34E0255D70345F363E199B13744A3CBD7DA4DD6048D6DB729FEC6DB19BA235F0CB03B63C11627EF36E04924FCA2260252B1202787CD28FFDA922D94889A6C2B016A10AA91B712A3485A16FB77E6F4A86A61FA8B40A4D46C6E94CE9199042F9F950B1B85CC92A68EAC0CC933DC22C89FC5933CA5A2AD40D0E0AB24DDE4CFFD4F4D0860A91A580455301239F71C12A0E84DB72517A15C162BBD2ADF4466B102729C1B382CF001D6B8E7D558F0B5C12190380F9262446378CD06A4E08B42544508DCE03B684E13451FA2B2BDAB115E0CC0CD8479B1FDB4BCF6E6F78FD758DE40626061217B5D3E765E37DE43AAA064329E09C167C73BB584DF3D1550CE569844C7139F7D2D834AC2A610F72014D8C1636829C9B5346BF0BE284FD8072572E0307CBD70770A64C3019C29FE9B581560D0EBF6AE384C06BF0F0E2F6207AA9DB4A98DA80CA511893900C06A12C602A0678B93FBC1E030C31C74451A846E23E391B8FECB5B58C2012B92F80B9A9F484C353A813607C4CB28BBFDD952218EFA5340CD7E70D95A6D9549E5D5565AA8C79B3B4F34E9E22AD6EDEFEECAB8DFD85C03706F23A07CE391FDCBD1DA6888FB0004FBFD3D4C1744F75E0AB18DFEC14E9D1A83FF9C05B24BDE7DE25FA27E2E48DF25B9AE0D434E9AE66D0AFABD4241BD6D24084277A0C4DB7AAA0159558B63C0F3DB90217BD161EC5089961A5BAD781459F5FAE75EDD457D18F78080D95E82B131D7877E07F310A197751A7058C3C4194BF1CE35AEB73F1C158316332611C3319DAEF246BD6C46D5D86728DB78D0FFE83F570A7FEC7AFACB068997E4304546F6AB51084EFB590FD05E373C443851E7916721F54C68243D31E520127F1FF4657CAB1597F4072AF6116A8565571C2C7508DCA4FE7332C64DDBDB0433C015AA4D2A08AD260CE50139D4775F01C7B6A023402DA41D25F68D19424A3736444C1BB482F04D77C69CD851E13EDD5DDA1B4256FDD0E002C22CD6A5324A1AD590D34DE15A6396173CE1BCF325C8B693913000957347F72E13BC79326FBA439E0421E9CB02DE31A24CECDF7454FA07F0D3FF022588507DBCAB535D0D753F4CAB261B08A21AF2F98F4B8AFDEA345AA6E9206E6B02A8CC5B1F0A7553966F2DB9F495C88E892245F71C3704ED1A94BB66DE1B10642EA81577C419BEA55DD6819E4B4CC50D6585F473F47895336F5B5A0A0B9F1F74B5B2358891029FAE4C068D4378579AE470571C9B4CC4F08939C1D51C0FA322420A53FD52A5CCD6541E08579ED6B28D3D1C884F00996221255B8C1143B1F5EE276318743773B8C86A15039220722B89C3FEF6C2CE9F6F3E2CE36B331574F6092DA23E5499E6AD5B33D43998578D8A7070171CB82FEC7A9E7C1A24412AFAE52E9D52FE1304660684BCBB5A673863FC1C0BA0CD7866CAEC67BD06EFF9F1300E1CE0BEDDCCCBA3602513A8D18925E14854602E421685C3713F10D2812668852075EF60326C05F995F99609C637306E7F379EECD6FE2DFE44B27E28BE64149D07C7662412C444614AC1B25458AF7A9CA0ECE92BF2835697B680441C1965B6E244A66F22B1C6CD4322438827AEAC61192AA97B0701D84371B619AF1E7B183A016C62FE8CA72CC40220B0D9EE7EBCBCA8043B5659C31BF610A99C01057BB6CE786734334A019F00734A8090AC596844189123BD7F1018864CF00F8AA7D04D6DF9D62A7C630B25D67C5D94273FC86E760AA9D099CD60C13ACC6F8266C555A3D6FB596BC1E32FE105F4CB23EE4D212D3CE24289DDF1533398D22A76358CBA0DB4A9FFA615BC9819A86C9929FD828B5D521782CAB3E535EE9C10E128BACD6DB54D369341CC066B4E15DBB2A2216A6630860C374F29B4B608079F6C7B0D6C7C3F4FB4F2C4A97796264B92E2C2FD2E88890587345B45DC393A723041566C5DADBF0CBA9D8E98AED9BBD493C1DCBFAF293426F04CC61952ACA3EA0AB0110F780C2E0FA53F8737B40139E5E6A06C87267484BA32C1E8D98865AEBD161820FBEA9ADA45ECF83BED597BADFD7618E892C0117E115D762F557E1864697EDA5EF1B934A9EF16491D50A4B496647F2FF993AC2ECD45920860E81FA917DF0BA4000000009805EDDB7BDAE75EA101FF719CC87ADF0831F40E8A93153CE79D3F55CC84895B5F7926D7A3AF2FCBABEE6B73E478C3487E262EA716383CB503160680C90BDD0
(PID) Process:	(7060) Agent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1902AFBF32C9B053C0614F8AC421D2A7A9B7039D
Operation:	write	Name:	Blob
Value: 1400000001000000140000006091FF1106129235EB8F98634683BD8E3A0AA3C20300000001000000140000001902AFBF32C9B053C0614F8AC421D2A7A9B7039D0F00000001000000200000005E29248DF5490737F7B0F4511BF0C81F8AEB806859D02E73841F4D753C6F537C2000000001000000DA050000308205D6308203BEA003020102020305CF5E300D06092A864886F70D01010B0500308192310B30090603550406130255533113301106035504080C0A43616C69666F726E6961310F300D06035504070C06497276696E65311F301D060355040A0C16426C697A7A61726420456E7465727461696E6D656E7431133011060355040B0C0A426174746C652E6E65743127302506035504030C1E426C697A7A61726420426174746C652E6E6574204C6F63616C2043657274301E170D3234313132363138353631375A170D3334313132343138353631375A308192310B30090603550406130255533113301106035504080C0A43616C69666F726E6961310F300D06035504070C06497276696E65311F301D060355040A0C16426C697A7A61726420456E7465727461696E6D656E7431133011060355040B0C0A426174746C652E6E65743127302506035504030C1E426C697A7A61726420426174746C652E6E6574204C6F63616C204365727430820222300D06092A864886F70D01010105000382020F003082020A0282020100DA2E0B164D33B6536908FD485DBD8BEA65E3E1B91318F0685FDB2006103D5BD1E5F0473FDB5018AA12C365C06F1801DA03C9040C3E7DCEEE7E8A1ABE60B7002D039E8569C0A95278952E2A4880D27C49F2914C58FF78D3528B4CE04A3BE561381B40787AC8038CB8A5F061F9199625C952E31D13418AAB71FAE92DEF7A9606BBA47D9EDB7F5D3BF7F374A929FD8BFEB99989E1293D76824A36C241BFB502E82CEF18B8C532754324162788CD9B179C4C73AFD3D40EE0D1B437841FD49869764A0594D245AEC25C682A5F108BC944866342D00ACE8E0AE2FAE3E27AB9AEEA79E44700CA1C17CAF7F4E8373A7CCCC21692920660E3FBE853DC38540287E327FE2C7B1719FB3F8260915B197667BE9F33AD2766765F956421BA9306310F38A640CEA62AC1E21CBC3D706C19DBEA4F08E85180C02EAAFC115C6F9579FE96CEA23246C0E2CF878036AF161DC4FF267EFD4607F586513ECE739B09C519EAE6EFEEAAE961D4CB860C00931DA6178D2964B3E1D83EABF53CA3477ED6FDB833B2BD551DF9EBCD856C9F0EEA13B400F92D6CF923DEAAECEB7CC212E905B8C350C9CFE4110F22F6765748833EC47B2875EE5AF3070970844F6C5FE74EDF07548180038E54A54287EA20DDD265EABFFE4623BDF257C842F879A4519D1D7C6A080DAC2E5476C6C448A3923515FB90EE5D0123092A3D60D6A9B76EA91725D863987A480FF1D5310203010001A333303130130603551D25040C300A06082B06010505070301301A0603551D1104133011820F6C6F63616C626174746C652E6E6574300D06092A864886F70D01010B0500038202010082CE968025DECC4D0DE48574DD05282E925EDB14217EABF2C356EFE7E4A430E284B2A487916E7D141978A5F52AC1289D64CB2269A47AE075425A7A14BBF7A488DF7C2776C93CDAAC7FA53FF0DD1FFEE4951C801D09EC5FB58DDC7456BFD671963C7683B9E846A3E29F16E50A04ADA3C94D848009E9C06E7630852D4E3B3A14437F7610B93D45BFA5B47CBBCBBD2E06FEA027373E366E46C7B09D95DF5FE0835BF8B3DA039E08E25BF79E1787C6183FC3A8C1B5FF4AFF9308D027A793FF76B910BC6F520C36A097752D5504B28CCA6086B42E3FB9FCA5E381AD6CC7F2A477AA82A2D3FFFE420C9BE2AAA3D31D9E5F87E111D34AC7728A0A4A5ADF76F1E914A6B84E727F94F3C2DA04A31DE2165B0F266C6EFBA946C54CD3C515193988DEFDDEF35EFCB79B57E1891E2DDF14BDE0F72B759085F5452BA1BDE1C0F5C3F5287483CC1FDCF62472A9D4B0368229F55D071AA70D499397A6372EC27F6B593276A53D27BB436837B684688B379E425DF15DA92B0DAFA85DCE812AB89848342DA2F5F71B7F9071DDB9CCA2CEA7F41DA203FED61ED64036D08F39D5E39883EF610001CCB112A81FA2374EB23E860F80B581CA21C747FE960B2445FB018CD5B7AB99A39C52656A9471A03E0E75D4C335F27B5D26A2C8B8AFF30F40CB29CBD8F59589E1648DCC36C92084DE5AF5AD0BCA924FABAB9C7D9A4374AD96C7E49F7D0E5CBC6C4389
(PID) Process:	(7060) Agent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1902AFBF32C9B053C0614F8AC421D2A7A9B7039D
Operation:	write	Name:	Blob
Value: 19000000010000001000000004EBF53AFF5659ADE21A6D5FAD7FC6950F00000001000000200000005E29248DF5490737F7B0F4511BF0C81F8AEB806859D02E73841F4D753C6F537C0300000001000000140000001902AFBF32C9B053C0614F8AC421D2A7A9B7039D1400000001000000140000006091FF1106129235EB8F98634683BD8E3A0AA3C22000000001000000DA050000308205D6308203BEA003020102020305CF5E300D06092A864886F70D01010B0500308192310B30090603550406130255533113301106035504080C0A43616C69666F726E6961310F300D06035504070C06497276696E65311F301D060355040A0C16426C697A7A61726420456E7465727461696E6D656E7431133011060355040B0C0A426174746C652E6E65743127302506035504030C1E426C697A7A61726420426174746C652E6E6574204C6F63616C2043657274301E170D3234313132363138353631375A170D3334313132343138353631375A308192310B30090603550406130255533113301106035504080C0A43616C69666F726E6961310F300D06035504070C06497276696E65311F301D060355040A0C16426C697A7A61726420456E7465727461696E6D656E7431133011060355040B0C0A426174746C652E6E65743127302506035504030C1E426C697A7A61726420426174746C652E6E6574204C6F63616C204365727430820222300D06092A864886F70D01010105000382020F003082020A0282020100DA2E0B164D33B6536908FD485DBD8BEA65E3E1B91318F0685FDB2006103D5BD1E5F0473FDB5018AA12C365C06F1801DA03C9040C3E7DCEEE7E8A1ABE60B7002D039E8569C0A95278952E2A4880D27C49F2914C58FF78D3528B4CE04A3BE561381B40787AC8038CB8A5F061F9199625C952E31D13418AAB71FAE92DEF7A9606BBA47D9EDB7F5D3BF7F374A929FD8BFEB99989E1293D76824A36C241BFB502E82CEF18B8C532754324162788CD9B179C4C73AFD3D40EE0D1B437841FD49869764A0594D245AEC25C682A5F108BC944866342D00ACE8E0AE2FAE3E27AB9AEEA79E44700CA1C17CAF7F4E8373A7CCCC21692920660E3FBE853DC38540287E327FE2C7B1719FB3F8260915B197667BE9F33AD2766765F956421BA9306310F38A640CEA62AC1E21CBC3D706C19DBEA4F08E85180C02EAAFC115C6F9579FE96CEA23246C0E2CF878036AF161DC4FF267EFD4607F586513ECE739B09C519EAE6EFEEAAE961D4CB860C00931DA6178D2964B3E1D83EABF53CA3477ED6FDB833B2BD551DF9EBCD856C9F0EEA13B400F92D6CF923DEAAECEB7CC212E905B8C350C9CFE4110F22F6765748833EC47B2875EE5AF3070970844F6C5FE74EDF07548180038E54A54287EA20DDD265EABFFE4623BDF257C842F879A4519D1D7C6A080DAC2E5476C6C448A3923515FB90EE5D0123092A3D60D6A9B76EA91725D863987A480FF1D5310203010001A333303130130603551D25040C300A06082B06010505070301301A0603551D1104133011820F6C6F63616C626174746C652E6E6574300D06092A864886F70D01010B0500038202010082CE968025DECC4D0DE48574DD05282E925EDB14217EABF2C356EFE7E4A430E284B2A487916E7D141978A5F52AC1289D64CB2269A47AE075425A7A14BBF7A488DF7C2776C93CDAAC7FA53FF0DD1FFEE4951C801D09EC5FB58DDC7456BFD671963C7683B9E846A3E29F16E50A04ADA3C94D848009E9C06E7630852D4E3B3A14437F7610B93D45BFA5B47CBBCBBD2E06FEA027373E366E46C7B09D95DF5FE0835BF8B3DA039E08E25BF79E1787C6183FC3A8C1B5FF4AFF9308D027A793FF76B910BC6F520C36A097752D5504B28CCA6086B42E3FB9FCA5E381AD6CC7F2A477AA82A2D3FFFE420C9BE2AAA3D31D9E5F87E111D34AC7728A0A4A5ADF76F1E914A6B84E727F94F3C2DA04A31DE2165B0F266C6EFBA946C54CD3C515193988DEFDDEF35EFCB79B57E1891E2DDF14BDE0F72B759085F5452BA1BDE1C0F5C3F5287483CC1FDCF62472A9D4B0368229F55D071AA70D499397A6372EC27F6B593276A53D27BB436837B684688B379E425DF15DA92B0DAFA85DCE812AB89848342DA2F5F71B7F9071DDB9CCA2CEA7F41DA203FED61ED64036D08F39D5E39883EF610001CCB112A81FA2374EB23E860F80B581CA21C747FE960B2445FB018CD5B7AB99A39C52656A9471A03E0E75D4C335F27B5D26A2C8B8AFF30F40CB29CBD8F59589E1648DCC36C92084DE5AF5AD0BCA924FABAB9C7D9A4374AD96C7E49F7D0E5CBC6C4389
(PID) Process:	(7060) Agent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1902AFBF32C9B053C0614F8AC421D2A7A9B7039D
Operation:	write	Name:	Blob
Value: 0F00000001000000200000005E29248DF5490737F7B0F4511BF0C81F8AEB806859D02E73841F4D753C6F537C0300000001000000140000001902AFBF32C9B053C0614F8AC421D2A7A9B7039D2000000001000000DA050000308205D6308203BEA003020102020305CF5E300D06092A864886F70D01010B0500308192310B30090603550406130255533113301106035504080C0A43616C69666F726E6961310F300D06035504070C06497276696E65311F301D060355040A0C16426C697A7A61726420456E7465727461696E6D656E7431133011060355040B0C0A426174746C652E6E65743127302506035504030C1E426C697A7A61726420426174746C652E6E6574204C6F63616C2043657274301E170D3234313132363138353631375A170D3334313132343138353631375A308192310B30090603550406130255533113301106035504080C0A43616C69666F726E6961310F300D06035504070C06497276696E65311F301D060355040A0C16426C697A7A61726420456E7465727461696E6D656E7431133011060355040B0C0A426174746C652E6E65743127302506035504030C1E426C697A7A61726420426174746C652E6E6574204C6F63616C204365727430820222300D06092A864886F70D01010105000382020F003082020A0282020100DA2E0B164D33B6536908FD485DBD8BEA65E3E1B91318F0685FDB2006103D5BD1E5F0473FDB5018AA12C365C06F1801DA03C9040C3E7DCEEE7E8A1ABE60B7002D039E8569C0A95278952E2A4880D27C49F2914C58FF78D3528B4CE04A3BE561381B40787AC8038CB8A5F061F9199625C952E31D13418AAB71FAE92DEF7A9606BBA47D9EDB7F5D3BF7F374A929FD8BFEB99989E1293D76824A36C241BFB502E82CEF18B8C532754324162788CD9B179C4C73AFD3D40EE0D1B437841FD49869764A0594D245AEC25C682A5F108BC944866342D00ACE8E0AE2FAE3E27AB9AEEA79E44700CA1C17CAF7F4E8373A7CCCC21692920660E3FBE853DC38540287E327FE2C7B1719FB3F8260915B197667BE9F33AD2766765F956421BA9306310F38A640CEA62AC1E21CBC3D706C19DBEA4F08E85180C02EAAFC115C6F9579FE96CEA23246C0E2CF878036AF161DC4FF267EFD4607F586513ECE739B09C519EAE6EFEEAAE961D4CB860C00931DA6178D2964B3E1D83EABF53CA3477ED6FDB833B2BD551DF9EBCD856C9F0EEA13B400F92D6CF923DEAAECEB7CC212E905B8C350C9CFE4110F22F6765748833EC47B2875EE5AF3070970844F6C5FE74EDF07548180038E54A54287EA20DDD265EABFFE4623BDF257C842F879A4519D1D7C6A080DAC2E5476C6C448A3923515FB90EE5D0123092A3D60D6A9B76EA91725D863987A480FF1D5310203010001A333303130130603551D25040C300A06082B06010505070301301A0603551D1104133011820F6C6F63616C626174746C652E6E6574300D06092A864886F70D01010B0500038202010082CE968025DECC4D0DE48574DD05282E925EDB14217EABF2C356EFE7E4A430E284B2A487916E7D141978A5F52AC1289D64CB2269A47AE075425A7A14BBF7A488DF7C2776C93CDAAC7FA53FF0DD1FFEE4951C801D09EC5FB58DDC7456BFD671963C7683B9E846A3E29F16E50A04ADA3C94D848009E9C06E7630852D4E3B3A14437F7610B93D45BFA5B47CBBCBBD2E06FEA027373E366E46C7B09D95DF5FE0835BF8B3DA039E08E25BF79E1787C6183FC3A8C1B5FF4AFF9308D027A793FF76B910BC6F520C36A097752D5504B28CCA6086B42E3FB9FCA5E381AD6CC7F2A477AA82A2D3FFFE420C9BE2AAA3D31D9E5F87E111D34AC7728A0A4A5ADF76F1E914A6B84E727F94F3C2DA04A31DE2165B0F266C6EFBA946C54CD3C515193988DEFDDEF35EFCB79B57E1891E2DDF14BDE0F72B759085F5452BA1BDE1C0F5C3F5287483CC1FDCF62472A9D4B0368229F55D071AA70D499397A6372EC27F6B593276A53D27BB436837B684688B379E425DF15DA92B0DAFA85DCE812AB89848342DA2F5F71B7F9071DDB9CCA2CEA7F41DA203FED61ED64036D08F39D5E39883EF610001CCB112A81FA2374EB23E860F80B581CA21C747FE960B2445FB018CD5B7AB99A39C52656A9471A03E0E75D4C335F27B5D26A2C8B8AFF30F40CB29CBD8F59589E1648DCC36C92084DE5AF5AD0BCA924FABAB9C7D9A4374AD96C7E49F7D0E5CBC6C4389

Add for printing

Executable files

138

Suspicious files

375

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5404	Battle.net-Setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5		binary
		MD5:3E3BDF47E0DC0653A0F73E6ADD657BE2	SHA256:BE140911F1A6B6BD18A4B4BC2347369C993BF17AB9ECFAD0C457EC53EF89783D
6712	Battle.net-Setup.exe	C:\ProgramData\Battle.net\Agent\..Blizzard Uninstaller.exe.11.6712.temp.12.6712.temp		executable
		MD5:B8BB284B7CD26643DF6876D665FBDE02	SHA256:117420F75D1D5DB1B3908E0728F748198D37894AF980F7614226480C7DD7BAEB
5404	Battle.net-Setup.exe	C:\ProgramData\Battle.net\Setup\bna_2\Logs\battle.net-setup-20241126T185554.log		text
		MD5:FD7FE5CDC8527CA17F659F5D061D61ED	SHA256:0299574E3C1187E367C1DC2B98D6C64A3413F31CDF3941925A32A411D1819B8F
6712	Battle.net-Setup.exe	C:\ProgramData\Battle.net\Setup\bna_2\Logs\battle.net-setup-20241126T185602.log		text
		MD5:0507C22628A905AE5BA8E8F4349A43D7	SHA256:69C9E2736B6A78EF96274AA4450B2435E5DAA47F88E4A0DE14D02FF2ED191B0E
6712	Battle.net-Setup.exe	C:\ProgramData\Battle.net\Agent\.LICENSES.14.6712.temp		binary
		MD5:38419AB362517167EAFA313B5821D163	SHA256:BF0E312D933BC2A2E3869A05B7D760FAC5E4E569F4349572C5269683F43610BD
6712	Battle.net-Setup.exe	C:\ProgramData\Battle.net\Agent\.Blizzard Uninstaller.exe.13.6712.temp		executable
		MD5:B8BB284B7CD26643DF6876D665FBDE02	SHA256:117420F75D1D5DB1B3908E0728F748198D37894AF980F7614226480C7DD7BAEB
6712	Battle.net-Setup.exe	C:\ProgramData\Battle.net\Agent\.BlizzardError.exe.20.6712.temp		binary
		MD5:19E4267E5D1685D10F57D49890DEFA15	SHA256:BC1E5933220C841A38D211D9FFD0A2E6A239169F28BC0BE755365BC995BA56F0
6712	Battle.net-Setup.exe	C:\ProgramData\Battle.net\Agent\..AgentHelper.exe.17.6712.temp.18.6712.temp		executable
		MD5:839F14582260F56BF6693008E323A437	SHA256:013B6B8B9D711477C5AE1B69A2E88181A495DF3B97283E5FB06459E0019440E2
6712	Battle.net-Setup.exe	C:\ProgramData\Battle.net\Agent\..AgentHelper.exe.17.6712.temp.18.6712.temp.temp		executable
		MD5:839F14582260F56BF6693008E323A437	SHA256:013B6B8B9D711477C5AE1B69A2E88181A495DF3B97283E5FB06459E0019440E2
6712	Battle.net-Setup.exe	C:\ProgramData\Battle.net\Agent\.AgentHelper.exe.17.6712.temp		binary
		MD5:45683BFAA1E36EDB39D23F23F155683C	SHA256:55797F4F18CAAD6CB5A69370EA2C8F3C24048D199306B7A239F2034A1CF95523

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

233

TCP/UDP connections

117

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.32.238.34:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	23.218.209.163:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5404	Battle.net-Setup.exe	POST	—	66.40.185.57:3724	http://iir.blizzard.com:3724/submit/BNET_APP	unknown	—	—	whitelisted
5404	Battle.net-Setup.exe	GET	204	34.253.98.116:80	http://nydus.battle.net/geoip	unknown	—	—	whitelisted
5404	Battle.net-Setup.exe	POST	—	66.40.185.57:3724	http://iir.blizzard.com:3724/submit/BNET_APP	unknown	—	—	whitelisted
5404	Battle.net-Setup.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAxEIEg8DxEkiqu7bqioboI%3D	unknown	—	—	whitelisted
5404	Battle.net-Setup.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D	unknown	—	—	whitelisted
6712	Battle.net-Setup.exe	GET	200	137.221.106.28:1119	http://us.patch.battle.net:1119/bts/versions	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2356	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	23.32.238.34:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5064	SearchApp.exe	104.126.37.123:443	www.bing.com	Akamai International B.V.	DE	whitelisted
—	—	23.218.209.163:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5404	Battle.net-Setup.exe	34.253.98.116:80	nydus.battle.net	AMAZON-02	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2 4.231.128.59	whitelisted
crl.microsoft.com	23.32.238.34 2.19.198.194	whitelisted
www.bing.com	104.126.37.123 104.126.37.185 104.126.37.170 104.126.37.179 104.126.37.186 104.126.37.163 104.126.37.178 104.126.37.171 104.126.37.177	whitelisted
google.com	172.217.18.110	whitelisted
www.microsoft.com	23.218.209.163	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
nydus.battle.net	34.253.98.116 54.171.236.85	whitelisted
iir.blizzard.com	66.40.185.57	whitelisted
login.live.com	40.126.31.67 40.126.31.73 20.190.159.0 20.190.159.4 20.190.159.71 20.190.159.23 40.126.31.71 40.126.31.69	whitelisted
go.microsoft.com	23.218.210.69	whitelisted

Threats

PID	Process	Class	Message
5404	Battle.net-Setup.exe	Potential Corporate Privacy Violation	ET POLICY GeoIP Lookup (nydus.battle.net)
6712	Battle.net-Setup.exe	Potential Corporate Privacy Violation	ET POLICY GeoIP Lookup (nydus.battle.net)

Add for printing

No debug info

General Info

Battle.net-Setup.exe

F7FE24CEBBC4B0332C77BCE563E11B1D

744968C9193E5A1B96941695600D3770E61A6FFA

002F33FEE7B8A159058368B7E93E492931C4CA72E90660BDB2691BCD62FEDD3C

98304:sdpEDlZPq7VZYLwZ6SbP+04w1n+5aSdNbgl8LoA94D1PfjWEeJfZX/BufZdERaQP:jqO

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Connects to unusual port

Application launched itself

Potential Corporate Privacy Violation

Executable content was dropped or overwritten

Checks for external IP

The process drops C-runtime libraries

Process drops legitimate windows executable

INFO

Checks supported languages

Checks proxy server information

Reads the machine GUID from the registry

Reads the computer name

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings