File name:

02860044_2

Full analysis: https://app.any.run/tasks/5805d735-bfd9-4202-984e-a23c4c16020b
Verdict: Malicious activity
Analysis date: February 13, 2022, 23:50:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

F6806F02DE215F47DFF29E6ADD75F0A7

SHA1:

749AFEA4C854BFB958CFE1CDBD58E27B4520B094

SHA256:

9F3CB5FE1D885A90B12DB8673B8BFFAB5FF1E9F87E96D3D08618F87CC65C9456

SSDEEP:

98304:Hjp5CzCWby2H8sh8nIKWc9fDmuqMR1Cn:l52r0fSuq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Agent.exe (PID: 1124)
      • Agent.exe (PID: 2572)

    • Changes settings of System certificates

      • Agent.exe (PID: 1124)

  • SUSPICIOUS

    • Reads the computer name

      • 02860044_2.exe (PID: 3732)
      • 02860044_2.exe (PID: 1264)
      • Agent.exe (PID: 1124)
      • Agent.exe (PID: 2572)

    • Application launched itself

      • 02860044_2.exe (PID: 3732)

    • Checks supported languages

      • 02860044_2.exe (PID: 3732)
      • 02860044_2.exe (PID: 1264)
      • Agent.exe (PID: 2572)
      • Agent.exe (PID: 1124)

    • Creates files in the program directory

      • 02860044_2.exe (PID: 1264)
      • 02860044_2.exe (PID: 3732)
      • Agent.exe (PID: 2572)
      • Agent.exe (PID: 1124)

    • Executable content was dropped or overwritten

      • 02860044_2.exe (PID: 1264)
      • Agent.exe (PID: 1124)

    • Drops a file that was compiled in debug mode

      • 02860044_2.exe (PID: 1264)
      • Agent.exe (PID: 1124)

    • Drops a file with a compile date too recent

      • 02860044_2.exe (PID: 1264)
      • Agent.exe (PID: 1124)

    • Creates a directory in Program Files

      • Agent.exe (PID: 1124)

  • INFO

    • Checks Windows Trust Settings

      • 02860044_2.exe (PID: 3732)
      • 02860044_2.exe (PID: 1264)

    • Reads settings of System Certificates

      • 02860044_2.exe (PID: 1264)
      • 02860044_2.exe (PID: 3732)
      • Agent.exe (PID: 1124)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

OriginalFileName: Battle.net-Setup.exe
FileDescription: Battle.net Setup
ProductVersion: 1.18.0.3086
ProductName: Battle.net Setup
CompanyName: Blizzard Entertainment
FileVersion: 1.18.0.3086
InternalName: Battle.net Setup
LegalCopyright: © 2005-2021 Blizzard Entertainment Inc.
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.18.0.3086
FileVersionNumber: 1.18.0.3086
Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 6
EntryPoint: 0x13e999
UninitializedDataSize: -
InitializedDataSize: 1878528
CodeSize: 2947584
LinkerVersion: 14.15
PEType: PE32
TimeStamp: 2021:03:30 00:44:45+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 29-Mar-2021 22:44:45
Detected languages:
  • English - United States
TLS Callbacks: 1 callback(s) detected.
Debug artifacts:
  • D:\BuildServer\bna-2\work-git\bootstrapper-repository\src\Release\Bootstrapper.pdb
LegalCopyright: © 2005-2021 Blizzard Entertainment Inc.
InternalName: Battle.net Setup
FileVersion: 1.18.0.3086
CompanyName: Blizzard Entertainment
ProductName: Battle.net Setup
ProductVersion: 1.18.0.3086
FileDescription: Battle.net Setup
OriginalFilename: Battle.net-Setup.exe

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000120

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 29-Mar-2021 22:44:45
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x002CF83C
0x002CFA00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.7073
.rdata
0x002D1000
0x0011F87C
0x0011FA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.06306
.data
0x003F1000
0x00077424
0x0001AA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.10008
.rsrc
0x00469000
0x00068C2C
0x00068E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.75285
.reloc
0x004D2000
0x00027614
0x00027800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.61263

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.23189
1360
Latin 1 / Western European
English - United States
RT_MANIFEST
2
3.83735
1128
Latin 1 / Western European
UNKNOWN
RT_ICON
3
3.47141
2440
Latin 1 / Western European
UNKNOWN
RT_ICON
4
7.92586
10068
Latin 1 / Western European
UNKNOWN
RT_ICON
5
3.24851
4264
Latin 1 / Western European
UNKNOWN
RT_ICON
6
2.86021
9640
Latin 1 / Western European
UNKNOWN
RT_ICON
7
2.67363
16936
Latin 1 / Western European
UNKNOWN
RT_ICON
NOTOSANS-BOLD-MINIMAL.TTF
5.54077
81420
Latin 1 / Western European
UNKNOWN
FONT
NOTOSANS-REGULAR-MINIMAL.TTF
5.52796
81896
Latin 1 / Western European
UNKNOWN
FONT
OBJECTSANS-BOLD-MINIMAL.TTF
5.87244
94632
Latin 1 / Western European
UNKNOWN
FONT

Imports

ADVAPI32.dll
CRYPT32.dll
GDI32.dll
KERNEL32.dll
MSIMG32.dll
OLEAUT32.dll
RPCRT4.dll
SHELL32.dll
UIAutomationCore.DLL
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
4
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start 02860044_2.exe 02860044_2.exe agent.exe no specs agent.exe

Process information

PID
CMD
Path
Indicators
Parent process
1124"C:\ProgramData\Battle.net\Agent\Agent.7661\Agent.exe" --locale=enUS --session=13672995831491077551C:\ProgramData\Battle.net\Agent\Agent.7661\Agent.exe
Agent.exe
User:
admin
Company:
Blizzard Entertainment
Integrity Level:
HIGH
Description:
Battle.net Update Agent
Exit code:
0
Version:
2.26.0.7661
1264"C:\Users\admin\AppData\Local\Temp\02860044_2.exe" --cmdver=2 --elevated --locale=enUS --mode=setup --session=13672995831491077551C:\Users\admin\AppData\Local\Temp\02860044_2.exe
02860044_2.exe
User:
admin
Company:
Blizzard Entertainment
Integrity Level:
HIGH
Description:
Battle.net Setup
Exit code:
0
Version:
1.18.0.3086
2572"C:\ProgramData\Battle.net\Agent\Agent.exe" --locale=enUS --session=13672995831491077551C:\ProgramData\Battle.net\Agent\Agent.exe02860044_2.exe
User:
admin
Company:
Blizzard Entertainment
Integrity Level:
HIGH
Description:
Battle.net File Switcher
Exit code:
0
Version:
2.26.0.7661
3732"C:\Users\admin\AppData\Local\Temp\02860044_2.exe" C:\Users\admin\AppData\Local\Temp\02860044_2.exe
Explorer.EXE
User:
admin
Company:
Blizzard Entertainment
Integrity Level:
MEDIUM
Description:
Battle.net Setup
Exit code:
0
Version:
1.18.0.3086
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
26
Suspicious files
24
Text files
21
Unknown types
0

Dropped files

PID
Process
Filename
Type
126402860044_2.exeC:\ProgramData\Battle.net\Setup\bna_2\Logs\battle.net-setup-20220213T235137.logtext
MD5:
SHA256:
126402860044_2.exeC:\ProgramData\Battle.net\Agent\..Blizzard Uninstaller.exe.10.1264.temp.11.1264.temp.tempexecutable
MD5:
SHA256:
373202860044_2.exeC:\ProgramData\Battle.net\Setup\bna_2\Logs\battle.net-setup-20220213T235057.logtext
MD5:
SHA256:
126402860044_2.exeC:\ProgramData\Battle.net\Agent\.Blizzard Uninstaller.exe.10.1264.tempbinary
MD5:
SHA256:
126402860044_2.exeC:\ProgramData\Battle.net\Agent\.Blizzard Uninstaller.exe.12.1264.tempexecutable
MD5:
SHA256:
126402860044_2.exeC:\ProgramData\Battle.net\Agent\..BlizzardError.exe.16.1264.temp.17.1264.temp.tempexecutable
MD5:
SHA256:
126402860044_2.exeC:\ProgramData\Battle.net\Agent\..BlizzardError.exe.16.1264.temp.17.1264.tempexecutable
MD5:
SHA256:
126402860044_2.exeC:\ProgramData\Battle.net\Agent\.BlizzardError.exe.16.1264.tempbinary
MD5:
SHA256:
126402860044_2.exeC:\ProgramData\Battle.net\Agent\.LICENSES.13.1264.tempbinary
MD5:38419AB362517167EAFA313B5821D163
SHA256:BF0E312D933BC2A2E3869A05B7D760FAC5E4E569F4349572C5269683F43610BD
126402860044_2.exeC:\ProgramData\Battle.net\Agent\..Blizzard Uninstaller.exe.10.1264.temp.11.1264.tempexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
224
TCP/UDP connections
226
DNS requests
19
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3732
02860044_2.exe
GET
204
37.244.28.104:80
http://nydus.battle.net/geoip
FR
suspicious
GET
67.27.235.254:80
http://level3.blizzard.com/tpr/bnt001/config/96/d6/96d61f6cf723d4e688283f448f53b3c1
US
suspicious
1264
02860044_2.exe
GET
200
8.248.115.254:80
http://level3.blizzard.com/tpr/configs/data/86/33/863334b8e9cb50956b371df9c59f22bc
US
text
3.63 Kb
suspicious
1264
02860044_2.exe
GET
200
137.221.106.19:1119
http://us.patch.battle.net:1119/bts/versions
FR
text
3.14 Kb
suspicious
1264
02860044_2.exe
GET
200
137.221.106.19:1119
http://us.patch.battle.net:1119/agent/versions
FR
text
741 b
suspicious
1264
02860044_2.exe
GET
200
137.221.106.19:1119
http://us.patch.battle.net:1119/agent/cdns
FR
text
1.88 Kb
suspicious
1264
02860044_2.exe
GET
200
137.221.64.2:80
http://us.cdn.blizzard.com/tpr/bnt001/config/90/6e/906e80a7dd31209f470dcff153d730c0
FR
text
659 b
whitelisted
1264
02860044_2.exe
GET
200
137.221.64.4:80
http://us.cdn.blizzard.com/tpr/bnt001/config/90/6e/906e80a7dd31209f470dcff153d730c0
FR
text
659 b
whitelisted
1264
02860044_2.exe
GET
200
67.27.235.254:80
http://level3.blizzard.com/tpr/configs/data/86/33/863334b8e9cb50956b371df9c59f22bc
US
text
3.63 Kb
suspicious
1264
02860044_2.exe
GET
200
8.253.95.121:80
http://level3.blizzard.com/tpr/configs/data/86/33/863334b8e9cb50956b371df9c59f22bc
US
text
3.63 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3732
02860044_2.exe
37.244.28.104:80
nydus.battle.net
Blizzard Entertainment, Inc
FR
suspicious
3732
02860044_2.exe
24.105.29.24:3724
iir.blizzard.com
Blizzard Entertainment, Inc
US
suspicious
1264
02860044_2.exe
142.250.186.110:80
www.google-analytics.com
Google Inc.
US
whitelisted
1264
02860044_2.exe
37.244.28.104:80
nydus.battle.net
Blizzard Entertainment, Inc
FR
suspicious
1264
02860044_2.exe
137.221.106.19:1119
us.patch.battle.net
Blizzard Entertainment, Inc
FR
suspicious
24.105.29.24:3724
iir.blizzard.com
Blizzard Entertainment, Inc
US
suspicious
1264
02860044_2.exe
8.248.115.254:80
level3.blizzard.com
Level 3 Communications, Inc.
US
suspicious
1264
02860044_2.exe
67.27.235.254:80
level3.blizzard.com
Level 3 Communications, Inc.
US
suspicious
3732
02860044_2.exe
142.250.186.110:80
www.google-analytics.com
Google Inc.
US
whitelisted
137.221.64.3:80
us.cdn.blizzard.com
FR
unknown

DNS requests

Domain
IP
Reputation
nydus.battle.net
  • 37.244.28.104
suspicious
iir.blizzard.com
  • 24.105.29.24
suspicious
www.google-analytics.com
  • 142.250.186.110
whitelisted
us.patch.battle.net
  • 137.221.106.19
suspicious
blzddist1-a.akamaihd.net
  • 2.16.107.51
  • 2.16.107.122
whitelisted
level3.blizzard.com
  • 8.253.204.120
  • 67.27.234.126
  • 8.248.119.254
  • 8.253.204.249
  • 67.27.235.254
  • 8.241.79.254
  • 8.253.95.121
  • 8.248.115.254
  • 8.248.133.254
  • 8.241.78.254
  • 67.27.158.254
  • 67.27.159.254
  • 67.27.233.254
  • 67.27.235.126
  • 8.253.95.120
suspicious
us.cdn.blizzard.com
  • 137.221.64.7
  • 137.221.64.1
  • 137.221.64.6
  • 137.221.64.5
  • 137.221.64.3
  • 137.221.64.2
  • 137.221.64.4
  • 137.221.64.8
whitelisted
level3.ssl.blizzard.com
  • 67.27.158.129
  • 67.27.235.129
  • 8.253.95.41
  • 8.253.204.40
  • 67.27.158.1
unknown
telemetry-in.battle.net
  • 24.105.29.76
unknown
ctldl.windowsupdate.com
  • 23.32.238.178
  • 23.32.238.201
whitelisted

Threats

PID
Process
Class
Message
3732
02860044_2.exe
Potential Corporate Privacy Violation
ET POLICY GeoIP Lookup (nydus.battle.net)
6 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
02860044_2