download:

gameguard_installer.msi

Full analysis: https://app.any.run/tasks/a73ba270-92ff-464c-bf1f-df14418071fa
Verdict: Malicious activity
Analysis date: May 12, 2020, 12:01:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: GameGuard, Author: GameGuard AntiCheat, OnMoon Company LLC, Keywords: Installer, Comments: This installer database contains the logic and data required to install GameGuard., Create Time/Date: Mon Apr 27 11:03:50 2020, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 4, Template: Intel;1033,1049, Last Saved By: Intel;1033,1049, Revision Number: {29E21532-9593-4157-A2DA-5A3BF648CCB3}1.0.0.0;{4B2EA7DF-F836-4BB7-88FE-ECA3C68E1CD9}1.0.0.0;{EF6C8D41-299A-433C-8C1E-1F3EB0388F1E}, Number of Pages: 200, Number of Characters: 131135
MD5:

21C958EFE567D9578FED43AF9656C613

SHA1:

0D8E244B6A17CFEE7300B0B586DED9A00CCA2457

SHA256:

44718E82AC631DF4965C197906E82B77CD66EBF517F7EB28023AEE0142FCD6BF

SSDEEP:

196608:cu9txMEIQH/1ohoAkRq5N6rGUiMN0g8ALG8TdZZr6UlI/QW6xR:cu7x8QH/FAkNrGUj0g85SXxxR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • acsvc.exe (PID: 3580)
      • gameguard.exe (PID: 3276)
      • gameguard.exe (PID: 3380)

  • SUSPICIOUS

    • Executed as Windows Service

      • acsvc.exe (PID: 3580)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3032)

  • INFO

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 3064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: GameGuard
Author: GameGuard AntiCheat, OnMoon Company LLC
Keywords: Installer
Comments: This installer database contains the logic and data required to install GameGuard.
Template: Intel;1033,1049
RevisionNumber: {C1E7F34D-DB68-48B2-B9E3-8FBA1DDC63BC}
CreateDate: 2020:04:27 10:03:42
ModifyDate: 2020:04:27 10:03:42
Pages: 200
Words: 2
Software: Windows Installer XML Toolset (3.11.1.2318)
Security: Read-only recommended
LastModifiedBy: Intel;1033,1049
Characters: 131135
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe acsvc.exe no specs msiexec.exe no specs gameguard.exe no specs gameguard.exe

Process information

PID
CMD
Path
Indicators
Parent process
3032"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\gameguard_installer.msi"C:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3064C:\Windows\system32\MsiExec.exe -Embedding 51C41CDD5E63272418D0A193C1D0A013 CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3276"C:\Program Files\GameGuard\gameguard.exe" C:\Program Files\GameGuard\gameguard.exeMsiExec.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\program files\gameguard\gameguard.exe
c:\systemroot\system32\ntdll.dll
3380"C:\Program Files\GameGuard\gameguard.exe" C:\Program Files\GameGuard\gameguard.exe
MsiExec.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\gameguard\gameguard.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3580"C:\Program Files\GameGuard\acsvc.exe"C:\Program Files\GameGuard\acsvc.exeservices.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\program files\gameguard\acsvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
Total events
199
Read events
185
Write events
14
Delete events
0

Modification events

(PID) Process:(3032) msiexec.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3064) MsiExec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3064) MsiExec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3032msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI4436.tmpexecutable
MD5:D773D9BD091E712DF7560F576DA53DE8
SHA256:E0DB1804CF53ED4819ED70CB35C67680CE1A77573EFDED86E6DAC81010CE55E7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3380
gameguard.exe
POST
200
104.19.231.119:80
http://acpupdate.gameguard.ac/lijehdnjgwtzdrgsxghoqfybusbjmu
US
text
6.37 Mb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3380
gameguard.exe
104.19.231.119:80
acpupdate.gameguard.ac
Cloudflare Inc
US
unknown

DNS requests

Domain
IP
Reputation
acpupdate.gameguard.ac
  • 104.19.231.119
  • 104.19.230.119
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
gameguard_installer.msi