Malware analysis Diablo III Launcher.exe Malicious activity

Add for printing

File name:	Diablo III Launcher.exe
Full analysis:	https://app.any.run/tasks/f1ee961c-d90f-4bf6-966a-b1439127a5b8
Verdict:	Malicious activity
Analysis date:	September 27, 2024, 04:26:35
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	AFB2355B9EA23BBC732F1C81F5F2C9F3
SHA1:	7D5FED8E16DC3E340BC5519C49ABF16EE3C2F9BB
SHA256:	B3CD11C2AEDEB607066150D582FE15707D7A1A36B3965866772C1E6E3B304185
SSDEEP:	98304:TqtoSwEJkBYf7hEZ/PybjViwntc9CHFw4LxdAgNPEwzlQMMJfhqB6HA0GmXBT9WL:TqmsH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Potential Corporate Privacy Violation
  - Diablo III Launcher.exe (PID: 2368)
- Checks for external IP
  - Diablo III Launcher.exe (PID: 2368)
- Executable content was dropped or overwritten
  - Diablo III Launcher.exe (PID: 2368)
  - Agent.exe (PID: 3980)
  - AgentHelper.exe (PID: 3288)
- Connects to unusual port
  - Agent.exe (PID: 3980)
  - Diablo III Launcher.exe (PID: 2368)
- The process drops C-runtime libraries
  - Agent.exe (PID: 3980)
- Executes as Windows Service
  - AgentHelper.exe (PID: 2580)
- Process drops legitimate windows executable
  - Agent.exe (PID: 3980)
INFO
- Checks supported languages
  - Diablo III Launcher.exe (PID: 2368)
- Creates files in the program directory
  - Diablo III Launcher.exe (PID: 2368)
- Reads the computer name
  - Diablo III Launcher.exe (PID: 2368)
- Reads the machine GUID from the registry
  - Diablo III Launcher.exe (PID: 2368)
- Checks proxy server information
  - Diablo III Launcher.exe (PID: 2368)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:07:01 21:44:07+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.15
CodeSize:	2947584
InitializedDataSize:	2157056
UninitializedDataSize:	-
EntryPoint:	0x13e9f6
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.18.5.3107
ProductVersionNumber:	1.18.5.3107
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
LegalCopyright:	© 2005-2022 Blizzard Entertainment Inc.
InternalName:	Diablo III Launcher
FileVersion:	1.18.5.3107
CompanyName:	Blizzard Entertainment
ProductName:	Diablo III Launcher
ProductVersion:	1.18.5.3107
FileDescription:	Diablo III Launcher
OriginalFileName:	Diablo III Launcher.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

136

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2368

"C:\Users\admin\AppData\Local\Temp\Diablo III Launcher.exe"

C:\Users\admin\AppData\Local\Temp\Diablo III Launcher.exe

explorer.exe

User:

admin

Company:

Blizzard Entertainment

Integrity Level:

MEDIUM

Description:

Diablo III Launcher

Version:

1.18.5.3107

Modules

Images
c:\users\admin\appdata\local\temp\diablo iii launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

2476

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

Agent.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2580

C:\ProgramData\Battle.net_components\battlenet_helpersvc\AgentHelper.exe

services.exe

User:

SYSTEM

Company:

Blizzard Entertainment

Integrity Level:

SYSTEM

Description:

Battle.net Admin Agent

Version:

2.35.5.8868

Modules

Images
c:\programdata\battle.net_components\battlenet_helpersvc\agenthelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

3288

"C:\ProgramData\Battle.net\Agent\AgentHelper.exe" --install --target=C:/ProgramData/Battle.net_components/battlenet_helpersvc/AgentHelper.exe

C:\ProgramData\Battle.net\Agent\AgentHelper.exe

Agent.exe

User:

admin

Company:

Blizzard Entertainment

Integrity Level:

HIGH

Description:

Battle.net Admin Agent

Exit code:

Version:

2.35.5.8868

Modules

Images
c:\programdata\battle.net\agent\agenthelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

3980

"C:\ProgramData\Battle.net\Agent\Agent.8868\Agent.exe" --locale=enUS --session=8993517352631874243

C:\ProgramData\Battle.net\Agent\Agent.8868\Agent.exe

Agent.exe

User:

admin

Company:

Blizzard Entertainment

Integrity Level:

MEDIUM

Description:

Battle.net Update Agent

Version:

2.35.5.8868

Modules

Images
c:\programdata\battle.net\agent\agent.8868\agent.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

4192

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

AgentHelper.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4788

"C:\ProgramData\Battle.net\Agent\Agent.exe" --locale=enUS --session=8993517352631874243

C:\ProgramData\Battle.net\Agent\Agent.exe

—

Diablo III Launcher.exe

User:

admin

Company:

Blizzard Entertainment

Integrity Level:

MEDIUM

Description:

Battle.net File Switcher

Exit code:

Version:

2.35.5.8868

Modules

Images
c:\programdata\battle.net\agent\agent.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

Add for printing

Total events

14 518

Read events

14 510

Write events

Delete events

Modification events


(PID) Process:	(2368) Diablo III Launcher.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Blizzard Entertainment\Blizzard Error
Operation:	write	Name:	UserUUID
Value: E57FE610-5764-4F03-AF3B-D198D1DB12E6
(PID) Process:	(2368) Diablo III Launcher.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Blizzard Entertainment\Launcher
Operation:	write	Name:	Locale
Value: enUS
(PID) Process:	(2580) AgentHelper.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
Operation:	delete value	Name:	458DFDFF5D4921D746A6B56421B1EE2D44E325F6
Value:
(PID) Process:	(2580) AgentHelper.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\458DFDFF5D4921D746A6B56421B1EE2D44E325F6
Operation:	write	Name:	Blob
Value: 030000000100000014000000458DFDFF5D4921D746A6B56421B1EE2D44E325F62000000001000000DA030000308203D6308202BEA003020102020307C35D300D06092A864886F70D01010B0500308192310B30090603550406130255533113301106035504080C0A43616C69666F726E6961310F300D06035504070C06497276696E65311F301D060355040A0C16426C697A7A61726420456E7465727461696E6D656E7431133011060355040B0C0A426174746C652E6E65743127302506035504030C1E426C697A7A61726420426174746C652E6E6574204C6F63616C2043657274301E170D3234303932373034323730315A170D3334303932353034323730315A308192310B30090603550406130255533113301106035504080C0A43616C69666F726E6961310F300D06035504070C06497276696E65311F301D060355040A0C16426C697A7A61726420456E7465727461696E6D656E7431133011060355040B0C0A426174746C652E6E65743127302506035504030C1E426C697A7A61726420426174746C652E6E6574204C6F63616C204365727430820122300D06092A864886F70D01010105000382010F003082010A02820101009ACC88FCFD8585EDBEA063289A90B21160DF6245CBC750C24D359E19E166C146279BEBB586F91C7F63B201139528C8BFF9BB68C3BB50D2185A3EB68784F4448173A8D66F47B49C0396813660B20773952D149D9D56E2BCAA5703BD75FB2ABF20BD3644A3E1F72F93E586308B24EFC01C42A33DA6281EA4D3CD5865FBC59796CCDAC4F62C393D01993C4651ACFB8AE1EE0F0C8E7304DB95F71CC315B2E3A0A6FD3F7FF3EE6FF4E66404E9BDA2649B3127C2CC4698D2F26DAD1F1752B00949BEF0493ED6841E6FF2C01F953EA715D5404FC7D0DA351C6C7A298E32763BF7DF56389D73301EB322D46CF50D27772CBCEDA2DCC7959E1B98F5B3639C7B4BD7CC4C990203010001A333303130130603551D25040C300A06082B06010505070301301A0603551D1104133011820F6C6F63616C626174746C652E6E6574300D06092A864886F70D01010B050003820101004F64681285B1FCC1BF1E16A685A2796B88C977BC04CABDF156CDA2F0FDEFF49E465FB6AE7CA6DFB33C124F2CF93AE9772842225D91F8D3E68015113753748ECEF8057DBC429E7AFFCF34C1CCEABC4E3571A31B888062ECD7E2BAE44D86E6CB97E267EBCB08D58DAEB0D330FE6794CEFCA82B5AAE933B480DE3DD4A96C0E997983697D1CAAC06F9224AC70628970DD1DE1B4C54F9F97EA42F8C9AA11B612F8A8DF5A52240E113321A910294D43FCED5A863E67F7AE9F10E606DC8FDEA8C0E8AE0559CB4A344213563FE258240FAAD1BFCA7D1B0AEA02F66EB7DAAB70A208CFDCE9E1AC7DAF3BDAE59E5B3EAFC4788FCF67929773EE1BEFF855A38D38161434CBA
(PID) Process:	(2580) AgentHelper.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\458DFDFF5D4921D746A6B56421B1EE2D44E325F6
Operation:	write	Name:	Blob
Value: 0F0000000100000020000000BFF1FB065BC5B147343A4F0C62A4B0A3DE657A9E5E965FF6652829051B0958BD030000000100000014000000458DFDFF5D4921D746A6B56421B1EE2D44E325F62000000001000000DA030000308203D6308202BEA003020102020307C35D300D06092A864886F70D01010B0500308192310B30090603550406130255533113301106035504080C0A43616C69666F726E6961310F300D06035504070C06497276696E65311F301D060355040A0C16426C697A7A61726420456E7465727461696E6D656E7431133011060355040B0C0A426174746C652E6E65743127302506035504030C1E426C697A7A61726420426174746C652E6E6574204C6F63616C2043657274301E170D3234303932373034323730315A170D3334303932353034323730315A308192310B30090603550406130255533113301106035504080C0A43616C69666F726E6961310F300D06035504070C06497276696E65311F301D060355040A0C16426C697A7A61726420456E7465727461696E6D656E7431133011060355040B0C0A426174746C652E6E65743127302506035504030C1E426C697A7A61726420426174746C652E6E6574204C6F63616C204365727430820122300D06092A864886F70D01010105000382010F003082010A02820101009ACC88FCFD8585EDBEA063289A90B21160DF6245CBC750C24D359E19E166C146279BEBB586F91C7F63B201139528C8BFF9BB68C3BB50D2185A3EB68784F4448173A8D66F47B49C0396813660B20773952D149D9D56E2BCAA5703BD75FB2ABF20BD3644A3E1F72F93E586308B24EFC01C42A33DA6281EA4D3CD5865FBC59796CCDAC4F62C393D01993C4651ACFB8AE1EE0F0C8E7304DB95F71CC315B2E3A0A6FD3F7FF3EE6FF4E66404E9BDA2649B3127C2CC4698D2F26DAD1F1752B00949BEF0493ED6841E6FF2C01F953EA715D5404FC7D0DA351C6C7A298E32763BF7DF56389D73301EB322D46CF50D27772CBCEDA2DCC7959E1B98F5B3639C7B4BD7CC4C990203010001A333303130130603551D25040C300A06082B06010505070301301A0603551D1104133011820F6C6F63616C626174746C652E6E6574300D06092A864886F70D01010B050003820101004F64681285B1FCC1BF1E16A685A2796B88C977BC04CABDF156CDA2F0FDEFF49E465FB6AE7CA6DFB33C124F2CF93AE9772842225D91F8D3E68015113753748ECEF8057DBC429E7AFFCF34C1CCEABC4E3571A31B888062ECD7E2BAE44D86E6CB97E267EBCB08D58DAEB0D330FE6794CEFCA82B5AAE933B480DE3DD4A96C0E997983697D1CAAC06F9224AC70628970DD1DE1B4C54F9F97EA42F8C9AA11B612F8A8DF5A52240E113321A910294D43FCED5A863E67F7AE9F10E606DC8FDEA8C0E8AE0559CB4A344213563FE258240FAAD1BFCA7D1B0AEA02F66EB7DAAB70A208CFDCE9E1AC7DAF3BDAE59E5B3EAFC4788FCF67929773EE1BEFF855A38D38161434CBA
(PID) Process:	(2580) AgentHelper.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Blizzard Entertainment\Battle.net
Operation:	write	Name:	LocalBattlenetCertificate
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB010000009D29A3460DB6D54295E82A624F66444D04000000020000000000106600000001000020000000909420F3EB95FE11AE6A401D7C21E526F926CC75B39D553BCCD2B9891B8D634C000000000E8000000002000020000000634BE558069461A11A6AD1F160B43D542314C0B5C5460C1C484F5EA0E484F5077005000058957CD356749D66F2411EBE040FF8FE20F229DD0F9C67E2744C362821407E7B7A317C57DBB5C01FF4315C493A929E0DF341654923A6D38EB53AC2A53FBD66FA5E447AF2F01203D80B6F1292280357EECEE23D560388715A1BE3DD5644F1F09BCD44FED137B63B0CB0324446FFD0DEB755AC98EECEAF94B1738A844F36E1953D8A28977A9CAC1EF43C606529F3234E185D4BDF15D3CCE55BF855D2CCA1E41E1DCCFC55A2ABD8808EA80E574F0923BAE7CF42A31E4114B76569433E70E5B6DF0677D53644102A071FBD2525537C7FD31CFD5B8CB9028934C3EF59D5F61367846D512488CEC333A5FADE48681B56D0705BC2C7132F45530AEAF796EB400E35DA387A6BB9E4836D2137771AE2A75C51F2F12D6254FBF742763CA146A22630F1BC34E64B9CB9E201BA96990A9FF6686BBC5777B6AD1A34E7D48CE44AA7F312CA6D28A904A77845B64CE5CE6B098BCD62747CC5E53CD62353B8C24BB5FA4B625B0EFFC62698F3C1B57F4EB3F11E8ABB9E808E4EC6DDFAC9C2F19A077C78902E4D577F0DBEFFA34E8427F450259430013FAA1593BA408A2AD4D882919097987346673C4EE8A2A0C5731545A847828E4B52293DE788DEEEA93779D5CBDB290D9373DBD8FC56FB62F46DD141A9675037EBCD4FE9E0CA3A06F3A3DCD2EA4A87BDACAEF73133E8C526A574BE3F420FEE5BF6853C90ADDCBA4BEDB4A63063AB0ACEFF82B5F3DFEBCA8EA1E901E562DCC2388E0ABA75BEE1B3E86EDF5761EEB60238BFE8599B9CA309E019120F72D0DC4D62E6A8724D31AC623756897B32E06F820D4806D7E2000B3796811C21818AB160364440EA249673DA0418BDF13F408DDE726A81D14A4DB85E2A3EBE6CC0403EF24F83B99F6CBE36344C9D89A646261749A8FF3834AF7E27F2A683C2666FE8F0132E3F9EC0657E716BFEA4C9F3E2683C4781F3E094D7F59F91428DAAEC5D5213D6504B3E4A4CF4183DB1311BD5E7171B9B7D2895697AA6A60039B03F9CDC0CFE82F8DD3993A0B43DAB92245D2C2648F9DAFAD3A0F3E980D4B86FFDB2DE1C3AAF1566322A1B223C0CD08ACB4DBBEB91DDEC28615C164B4556ADB40B7C116A64E5F726471A2140059DAE0D349ED96B26256B227C254568C22D9EBC83E1C427C6A32C0788AC245A3AD35EC55C9DE767E2FAA3083D12F74525B0B25A1F23B0315FD01FD19DA28F9E12D32259427181DBFD3C913BF356E91636C6D561DA9EEB6468E962D6CE9EAA0355777BB4229B6506AF168543341D26736432A19C67FD7268219BA3683CEAB51EC781B54CD01F22AE1B3DDA98962E5D75D2B0FA249F5BDE7870C08A337B2DC00286D3FA0BA91B802EA26FE94F2861CD3E8A8CB15E8A52ECF50F8ED77EB5E407E6E4E3F010D0E75F534EC8E1E5184B1EC2BC68375FF0846AB716B4D22C426578ABDBF695AC9610E40E59414083D8B4DAB2DFB05E44AF3AEC66D76190B8DAE41BFD4B350C47F64BFA79E545ED77C3A630485862113890BD4A03B7D4417751C3568FFB44698286396A49D3F34AA8E8176FD30B38F2B09A8C5391B6F65B3E27DC3095045974CF40387440A294DED19209B4E5543FA110611F02FFEF0FDDEC653D821D0A79662CA8774178E317C79A2B7D7508011C56ADA6A36362E9D8EDCDDED5E131AF13C9DD0272F5BEB5909D3317B78087D457665CBBC674CB8652BCDF05A1F8232CDD01DB870C3FF41D079F8A9301FAFC492B704C8D85F604B52434F57C4F61C703F01BA69BF6ED344D059839BA96358D8AC274DE97C55DD4C2856E371AE08939B75C28F54938FADA6CD7BF86F1A9539A3DE7AB09FEC803E34FD79EB2EA97D834D9D955BD42561BADFFC6CA112A7627E5EA85A14B913DC6CD6EF89BFC9430BF38ED3DF1DBAD5EF5F29FF5252B21C38C3A268844894D6FB8D2CEE21FFA17C624F5E44B319A6F2508FF5DAA553F9082D60435D4962C3C16F830A412B62D289B644F40000000182DC342F6189E6C076D67CB9DAED35AFBACE85066EDDB1044B788002D006DCCE6C894A6DA7F86EA9B0564487118BA4B327BFDB2DD93642145181F55F3D8BAC9
(PID) Process:	(2580) AgentHelper.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Blizzard Entertainment\Battle.net
Operation:	write	Name:	LocalBattlenetPrivateKey
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB010000009D29A3460DB6D54295E82A624F66444D0400000002000000000010660000000100002000000015348D7BAC64D271A3209532D53EFF1146B23D0BC77091F880A2F35DAA66547F000000000E8000000002000020000000C60EF3F1B3F7D8F600AEFF9EB3475351B83B825B8881E354F14FDBD81C269C07B0060000D4175CDAE59F8158DC960C893DF438866075AD93CE10DFF8959308071E4DD94F08E40B9901CB9358CC9189C348722EDD22D2F552D85146B86E30787C411B43AE05DDDA6173E3CE60200DC33AEAF864C1C9EFF1C55749099699122E837FB5F3B32894B4918F29EFFA862D376D58068D92CC41776627C4C6C85E82E2CE9C5F805A85B036DCA3C0717087CA5E7449F490C3948724855E1A834D6E2DE9480527A6A043C519A7A914320B3F1F82117E8759AB0AEF35D981284F850B88E9DA249512CE90F62F943417825E95CF3505338B50B929331E375F3FC5A7E1D8F1A54E6A5657FA69B3C07AEA5FA7494F6851C09C684F9F9AF16FB0735ED01DD9F12FE05ECD77E42EF6D7B85C3BCF35EB92240D7B16A0900D08CCEC8E82F4989B74AEEF252DA87D73C01CDC32CDEDF001BDBCD7E4E7966473623826DB5F6DB28D7F8BA4A02C898B9FBBC97464E408DF82AC906FFDC20C098191A0A7EDFE35A7F53A95F24AE5D4FFAEFDEBF0809C590251D0CD18AD331FE1B719FC7476BB499FE4B7FB3DC2C31A5005F5F0A6F994F286208D1B14BAA3A7FA94BB17D4DFBBA2EEE25B424123312AD2106EEBBF74FA40B44D26444D3D31CEA3D551B8D02D5D68961BAC5A00A7C67641D22E13B7B38A8F2E3A1C981223DC02E1AAC84007F3A72FB6E1AFDE76A5BBE595AA7E9D44AF70F57648C832E049588868DC68BB366E90BA147E00B80243201693C8BC42A5D87F152ECF86409E1CAD0F21D6A152B75EE02AB30B14606144C3BCFF65E000A5D13C801351E9A273FC1ACDC5C5793BC9185814230F4634807A96FDC938CA8A58EA0036BD93B9200142E109123934627F86193E4217A3D079308FEE04A8FD9C8F6F842114F71B2C5F51E857FA796C53289414B6BE6263DE3AA31C4AB5B29C2084F26579176087F7061C062228E0F0A03C65CBED04AD27F887BBEBB839078589F06497DAAD947EBF95451244B2577977C68EB60E97C435D4260EEF35F1F01F14A0015BBC8644DDDB648053AB08480865BC37C5CE135EEF4B9BEB1DA6D8E7ABD9AECC04C6FDFD55D540B0E5F26CE503657242D9F7C28779C68F951AF376B5BAB3BCE9F0B8F07C70E607BF21B00FE33BEC3135D8604FF5EAF8C1438C7266ED0EEF732471A44928377B5252AEF635FEA9FE0A1A3142CE68B0275BD79ABA5CF981B260F479D6D5A9E052239EA7A34E6665788F964709BD8C15CEFEE0B839443A17D443A783AD5BBFB823A264304DBB8C4D870E1619060DFEF9706221BDC0F76E324854BAE96C28C50892605E5E2CCDFEB2773C2B62ECC0959DB1A8C6433FCAC93366C3C0F332380846B8967FF6500D7D5961FCD23819B549B5D5ED88A9144D2846A60CFFB148D28F0963D0B67B894D0CF22E66089BBEF29B3112D0C62148AD8B3EA6F64B03658A1968205A2F389B9BB0AF570A0A545E651822CBCBB280C559CD1C109AEBB01B4882EECC6BFE3F29F94A85F1BFE0CE923BFB0DBAEFB5192250B6BE258799C9B288A6D550E6CE9E1595DE816F4A78032D72B18517DB48096784319EE81382A4FD6C34A746286A9CA690D22703A5B7232AE2601CA7C8AAD762593E6A836FF231F644B18642B83A43BC4EAD521FE9D46C739189B092CF26D7116CFE06F05F73F094123CFEF906862079740BF19CA6E2AB95675C3C052F214DAC7D13D078C0AF8A18B063F400A5D2600976DA07FC1D110D418D137D3FE4798A89016A0FF1AF98B9DF53188E39602A5AE7E86A57801020696E1F95C49886B2423ED7B1EA6A12001D0DD3E0EB71859C2D316FB00E2024E48D069048FE3BA59376B129172380B0AB0A3443C7CA9927FFB0D22FF7F5A041D81C07676ED00EF0048DFEB56E089F1DCABEFAC801DA0D475CFC7CE4EAC82F7E727A8B13242DE6958F3E9EF6630C6DF00E362B71E76EA61DE938BCD9D7C0491A8A25659712DFE51E184E1F2B2F4D7725976F4DFD190DE9A949B2160A6A9E5FDDAC85A13CACB64E5828D3F8E33A2FDB1EE04BAB7A77D951B6FE80397AD7EB103F39E1329C5DD8E96502C170C3AA529C9DA6BDD90ABA5861906F6BF33DE7C2FEC2B2DDC432E0D98B505CEA3480417F336297E6701DDD9446EB28D0266057E8A86182FC1215405161B53CBBB6250E905357E88367B3C55CF07E13B9C64C9BAED439AEBF28AEDD394C707E47EDC7824606111958019C0ABD594D3CE93C27B3F383F3E60D033F81D82A7D65317780FA9A6F446B9573DA82C91EEDEB88D94CAD5FE6F40964FC771EBC5A9C480B8D850F83E9F40EE3638555E8AD4B2315CC4E431B608BA14063BEE693C651C5242823B558629DBB8D0D50C8D6899E791FEE010B2488263064E017B8D3E97A224AD121A7DB4A1200E72ADF27D177D9B00FF479267AD3A1DBC4DECD68C4F07C54842B4141E22224BB2FC67F0AFA98975C28874000000038694F701A0A7722FB088EA93BB7D4AF1BDAA7BB53E99AFA37BDB6AFACD5E2BDBC652BC8568C1B2A39A1BBF19D15A30C6D9560F0BF8EF4840C9150AB5EC035FA

Add for printing

Executable files

138

Suspicious files

386

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2368	Diablo III Launcher.exe	C:\ProgramData\Battle.net\Agent\..LICENSES.14.2368.temp.15.2368.temp		text
		MD5:E60C0CC3B71BAECC5F08C6158A711C79	SHA256:4FA74FBB073874153BB338746857BF75ED7BE0B436BDEDE1D8625EED2E6C0F3E
2368	Diablo III Launcher.exe	C:\ProgramData\Battle.net\Agent\.Blizzard Uninstaller.exe.13.2368.temp		executable
		MD5:B8BB284B7CD26643DF6876D665FBDE02	SHA256:117420F75D1D5DB1B3908E0728F748198D37894AF980F7614226480C7DD7BAEB
2368	Diablo III Launcher.exe	C:\ProgramData\Battle.net\Agent\.LICENSES.14.2368.temp		binary
		MD5:38419AB362517167EAFA313B5821D163	SHA256:BF0E312D933BC2A2E3869A05B7D760FAC5E4E569F4349572C5269683F43610BD
2368	Diablo III Launcher.exe	C:\ProgramData\Battle.net\Agent\..AgentHelper.exe.17.2368.temp.18.2368.temp		executable
		MD5:F32FA7521BB9204664768AA814281662	SHA256:82C22832560D8E709B6B16B0507A0B438BF285D108B28A11058A7D0D6CBC8FC1
2368	Diablo III Launcher.exe	C:\ProgramData\Battle.net\Agent\..Blizzard Uninstaller.exe.11.2368.temp.12.2368.temp.temp		executable
		MD5:B8BB284B7CD26643DF6876D665FBDE02	SHA256:117420F75D1D5DB1B3908E0728F748198D37894AF980F7614226480C7DD7BAEB
2368	Diablo III Launcher.exe	C:\ProgramData\Battle.net\Agent\..LICENSES.14.2368.temp.15.2368.temp.temp		text
		MD5:E60C0CC3B71BAECC5F08C6158A711C79	SHA256:4FA74FBB073874153BB338746857BF75ED7BE0B436BDEDE1D8625EED2E6C0F3E
2368	Diablo III Launcher.exe	C:\ProgramData\Battle.net\Agent\.LICENSES.16.2368.temp		text
		MD5:E60C0CC3B71BAECC5F08C6158A711C79	SHA256:4FA74FBB073874153BB338746857BF75ED7BE0B436BDEDE1D8625EED2E6C0F3E
2368	Diablo III Launcher.exe	C:\ProgramData\Battle.net\Agent\.BlizzardError.exe.20.2368.temp		binary
		MD5:19E4267E5D1685D10F57D49890DEFA15	SHA256:BC1E5933220C841A38D211D9FFD0A2E6A239169F28BC0BE755365BC995BA56F0
2368	Diablo III Launcher.exe	C:\ProgramData\Battle.net\Agent\.AgentHelper.exe.19.2368.temp		executable
		MD5:F32FA7521BB9204664768AA814281662	SHA256:82C22832560D8E709B6B16B0507A0B438BF285D108B28A11058A7D0D6CBC8FC1
2368	Diablo III Launcher.exe	C:\ProgramData\Battle.net\Agent\..AgentHelper.exe.17.2368.temp.18.2368.temp.temp		executable
		MD5:F32FA7521BB9204664768AA814281662	SHA256:82C22832560D8E709B6B16B0507A0B438BF285D108B28A11058A7D0D6CBC8FC1

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

246

TCP/UDP connections

133

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2368	Diablo III Launcher.exe	POST	200	142.250.185.174:80	http://www.google-analytics.com/collect	unknown	—	—	whitelisted
2368	Diablo III Launcher.exe	POST	—	66.40.185.57:3724	http://iir.blizzard.com:3724/submit/BNET_APP	unknown	—	—	whitelisted
2368	Diablo III Launcher.exe	GET	200	137.221.64.5:80	http://us.cdn.blizzard.com/tpr/configs/data/44/a2/44a2d275e5c59c15652e8f75b61ecfd8	unknown	—	—	whitelisted
2368	Diablo III Launcher.exe	GET	200	137.221.64.7:80	http://us.cdn.blizzard.com/tpr/bnt001/config/72/6b/726bb970868e89ac36b2dfe06b912206	unknown	—	—	whitelisted
2368	Diablo III Launcher.exe	GET	200	137.221.64.7:80	http://us.cdn.blizzard.com/tpr/configs/data/44/a2/44a2d275e5c59c15652e8f75b61ecfd8	unknown	—	—	whitelisted
2368	Diablo III Launcher.exe	GET	200	137.221.64.4:80	http://us.cdn.blizzard.com/tpr/bnt001/config/72/6b/726bb970868e89ac36b2dfe06b912206	unknown	—	—	whitelisted
2368	Diablo III Launcher.exe	GET	200	137.221.64.3:80	http://us.cdn.blizzard.com/tpr/configs/data/44/a2/44a2d275e5c59c15652e8f75b61ecfd8	unknown	—	—	whitelisted
2368	Diablo III Launcher.exe	GET	200	137.221.64.7:80	http://us.cdn.blizzard.com/tpr/bnt001/config/5e/dd/5edd501be71e3db435f6eaf73f229245	unknown	—	—	whitelisted
2368	Diablo III Launcher.exe	GET	200	137.221.106.28:1119	http://us.patch.battle.net:1119/agent/versions	unknown	—	—	whitelisted
2368	Diablo III Launcher.exe	GET	200	137.221.106.28:1119	http://us.patch.battle.net:1119/agent/cdns	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4004	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2092	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	20.189.173.25:443	browser.pipe.aria.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
2524	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2368	Diablo III Launcher.exe	34.248.201.80:80	nydus.battle.net	AMAZON-02	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
browser.pipe.aria.microsoft.com	20.189.173.25	whitelisted
google.com	142.250.186.110	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
nydus.battle.net	34.248.201.80 52.19.167.175	whitelisted
iir.blizzard.com	66.40.185.57	whitelisted
www.google-analytics.com	142.250.185.174	whitelisted
us.patch.battle.net	137.221.106.28	whitelisted
us.cdn.blizzard.com	137.221.64.2 137.221.64.8 137.221.64.6 137.221.64.1 137.221.64.3 137.221.64.5 137.221.64.7 137.221.64.4	whitelisted

Threats

PID	Process	Class	Message
2368	Diablo III Launcher.exe	Potential Corporate Privacy Violation	ET POLICY GeoIP Lookup (nydus.battle.net)

3 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

Diablo III Launcher.exe

AFB2355B9EA23BBC732F1C81F5F2C9F3

7D5FED8E16DC3E340BC5519C49ABF16EE3C2F9BB

B3CD11C2AEDEB607066150D582FE15707D7A1A36B3965866772C1E6E3B304185

98304:TqtoSwEJkBYf7hEZ/PybjViwntc9CHFw4LxdAgNPEwzlQMMJfhqB6HA0GmXBT9WL:TqmsH

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Potential Corporate Privacy Violation

Checks for external IP

Executable content was dropped or overwritten

Connects to unusual port

The process drops C-runtime libraries

Executes as Windows Service

Process drops legitimate windows executable

INFO

Checks supported languages

Creates files in the program directory

Reads the computer name

Reads the machine GUID from the registry

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings