File name:

Guardian-Installer.exe

Full analysis: https://app.any.run/tasks/7d2af0f1-ec35-4be1-900c-d30ab43c54aa
Verdict: Malicious activity
Analysis date: August 04, 2023, 06:06:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

FD3A112FBE712283E6CB27DCFDDC90FB

SHA1:

A978A4CF28BE36802CD8F9A7C6DC537993E7C3E1

SHA256:

D1774D9AB4F99058E613804C857F45A8C0BFA057A0CB1ABC22B71E58CE439D52

SSDEEP:

98304:momHVYSTRz6RkbmtNP/GySNjxY+XAo7QkoH2AqAsEXiNKIaz:momHVY0A5hI73wk72

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • msiexec.exe (PID: 2872)
      • msiexec.exe (PID: 1736)
      • msiexec.exe (PID: 2944)

    • Application was dropped or rewritten from another process

      • GuardianUC.exe (PID: 2016)
      • GuardianUC.exe (PID: 3500)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Guardian-Installer.exe (PID: 3328)
      • Guardian-Installer.exe (PID: 4028)
      • GuardianUC.exe (PID: 3500)
      • GuardianUC.exe (PID: 2016)

    • Reads settings of System Certificates

      • Guardian-Installer.exe (PID: 3328)
      • Guardian-Installer.exe (PID: 4028)
      • GuardianUC.exe (PID: 3500)
      • GuardianUC.exe (PID: 2016)

    • Reads the Windows owner or organization settings

      • Guardian-Installer.exe (PID: 3328)
      • Guardian-Installer.exe (PID: 4028)

    • Checks Windows Trust Settings

      • Guardian-Installer.exe (PID: 3328)
      • Guardian-Installer.exe (PID: 4028)
      • msiexec.exe (PID: 3940)
      • GuardianUC.exe (PID: 3500)
      • GuardianUC.exe (PID: 2016)

    • Executable content was dropped or overwritten

      • Guardian-Installer.exe (PID: 3328)
      • GuardianUC.exe (PID: 3500)

    • Reads Internet Explorer settings

      • Guardian-Installer.exe (PID: 3328)

    • Application launched itself

      • Guardian-Installer.exe (PID: 3328)
      • cmd.exe (PID: 3428)

    • Reads the Internet Settings

      • Guardian-Installer.exe (PID: 3328)
      • msiexec.exe (PID: 2872)
      • GuardianUC.exe (PID: 3500)
      • GuardianUC.exe (PID: 2016)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3100)

    • Starts itself from another location

      • GuardianUC.exe (PID: 3500)

    • Executing commands from a ".bat" file

      • GuardianUC.exe (PID: 2016)
      • cmd.exe (PID: 3428)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3428)
      • GuardianUC.exe (PID: 2016)

  • INFO

    • Checks supported languages

      • Guardian-Installer.exe (PID: 3328)
      • msiexec.exe (PID: 3940)
      • msiexec.exe (PID: 2872)
      • Guardian-Installer.exe (PID: 4028)
      • msiexec.exe (PID: 1736)
      • msiexec.exe (PID: 2944)
      • GuardianUC.exe (PID: 3500)
      • GuardianUC.exe (PID: 2016)

    • Reads the machine GUID from the registry

      • Guardian-Installer.exe (PID: 3328)
      • msiexec.exe (PID: 3940)
      • msiexec.exe (PID: 2872)
      • Guardian-Installer.exe (PID: 4028)
      • msiexec.exe (PID: 1736)
      • msiexec.exe (PID: 2944)
      • GuardianUC.exe (PID: 3500)
      • GuardianUC.exe (PID: 2016)

    • Reads the computer name

      • Guardian-Installer.exe (PID: 3328)
      • msiexec.exe (PID: 3940)
      • msiexec.exe (PID: 2872)
      • Guardian-Installer.exe (PID: 4028)
      • msiexec.exe (PID: 1736)
      • msiexec.exe (PID: 2944)
      • GuardianUC.exe (PID: 3500)
      • GuardianUC.exe (PID: 2016)

    • The process checks LSA protection

      • Guardian-Installer.exe (PID: 3328)
      • msiexec.exe (PID: 3940)
      • msiexec.exe (PID: 2872)
      • Guardian-Installer.exe (PID: 4028)
      • VSSVC.exe (PID: 3100)
      • msiexec.exe (PID: 2944)
      • dllhost.exe (PID: 3640)
      • GuardianUC.exe (PID: 3500)
      • msiexec.exe (PID: 1736)
      • GuardianUC.exe (PID: 2016)

    • Creates files or folders in the user directory

      • Guardian-Installer.exe (PID: 3328)
      • GuardianUC.exe (PID: 3500)

    • Reads Environment values

      • Guardian-Installer.exe (PID: 3328)
      • Guardian-Installer.exe (PID: 4028)
      • GuardianUC.exe (PID: 2016)

    • Application launched itself

      • msiexec.exe (PID: 3940)

    • Create files in a temporary directory

      • Guardian-Installer.exe (PID: 3328)
      • msiexec.exe (PID: 3940)
      • GuardianUC.exe (PID: 3500)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3940)

    • Checks transactions between databases Windows and Oracle

      • msiexec.exe (PID: 2944)

    • Checks proxy server information

      • GuardianUC.exe (PID: 3500)
      • GuardianUC.exe (PID: 2016)

    • Creates files in the program directory

      • GuardianUC.exe (PID: 3500)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (18)
.exe | Win32 Executable (generic) (2.9)
.exe | Generic Win/DOS Executable (1.3)
.exe | DOS Executable Generic (1.3)

EXIF

EXE

ProductVersion: 1.0.0.0
ProductName: Guardian
OriginalFileName: Guardian Anti Cheat.back2088dddddd.back.exe
LegalCopyright: Copyright (C) 2023 Guardian
InternalName: Guardian Anti Cheat.back2088dddddd.back
FileVersion: 1.0.0.0
FileDescription: Guardian Installer
CompanyName: Guardian
CharacterSet: Unicode
LanguageCode: English (British)
FileSubtype: -
ObjectFileType: Dynamic link library
FileOS: Win32
FileFlags: Debug
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 6
EntryPoint: 0x1dd680
UninitializedDataSize: -
InitializedDataSize: 953856
CodeSize: 2519552
LinkerVersion: 14.36
PEType: PE32
ImageFileCharacteristics: Executable, Large address aware, 32-bit
TimeStamp: 2023:06:28 09:20:41+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 28-Jun-2023 09:20:41
Detected languages:
  • English - United Kingdom
  • English - United States
Debug artifacts:
  • C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb
CompanyName: Guardian
FileDescription: Guardian Installer
FileVersion: 1.0.0.0
InternalName: Guardian Anti Cheat.back2088dddddd.back
LegalCopyright: Copyright (C) 2023 Guardian
OriginalFileName: Guardian Anti Cheat.back2088dddddd.back.exe
ProductName: Guardian
ProductVersion: 1.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000120

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 28-Jun-2023 09:20:41
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00267146
0x00267200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.45818
.rdata
0x00269000
0x0008EBFA
0x0008EC00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.6008
.data
0x002F8000
0x0000D220
0x00003C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.79118
.rsrc
0x00306000
0x0002DA30
0x0002DC00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.21976
.reloc
0x00334000
0x000289B4
0x00028A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.51344

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.18931
2063
Latin 1 / Western European
English - United Kingdom
RT_MANIFEST
2
1.97674
2440
Latin 1 / Western European
English - United Kingdom
RT_ICON
3
1.83178
4264
Latin 1 / Western European
English - United Kingdom
RT_ICON
4
1.57093
9640
Latin 1 / Western European
English - United Kingdom
RT_ICON
5
7.90927
9361
Latin 1 / Western European
English - United Kingdom
RT_ICON
9
3.29815
564
Latin 1 / Western European
English - United Kingdom
RT_STRING
10
3.15121
386
Latin 1 / Western European
English - United Kingdom
RT_STRING
11
2.24351
80
Latin 1 / Western European
English - United Kingdom
RT_STRING
12
2.49103
154
Latin 1 / Western European
English - United Kingdom
RT_STRING
13
3.27977
758
Latin 1 / Western European
English - United Kingdom
RT_STRING

Imports

KERNEL32.dll
msi.dll (delay-loaded)
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
14
Malicious processes
6
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start guardian-installer.exe msiexec.exe msiexec.exe no specs guardian-installer.exe no specs vssvc.exe no specs msiexec.exe no specs msiexec.exe no specs HNetCfg.FwPolicy2 no specs guardianuc.exe guardianuc.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs guardian-installer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1736C:\Windows\system32\MsiExec.exe -Embedding C117A40346C1FC57C72459D72E24D9C4C:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\kernelbase.dll
2016"C:\Users\admin\AppData\Local\Tempa4b433d74ba00ffa365b26907ce6e183\GuardianUC.exe" /install silentall "C:\Users\admin\AppData\Local\Tempa4b433d74ba00ffa365b26907ce6e183\GuardianUC.ini"C:\Users\admin\AppData\Local\Tempa4b433d74ba00ffa365b26907ce6e183\GuardianUC.exe
GuardianUC.exe
User:
admin
Company:
Guardian
Integrity Level:
HIGH
Description:
GuardianUC 1.0.0.0
Exit code:
3758096419
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\tempa4b433d74ba00ffa365b26907ce6e183\guardianuc.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2376C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\admin\AppData\Local\Temp\{18220F0D-1F43-4436-B92A-0EF419F800B7}..bat" "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
2780"C:\Users\admin\AppData\Local\Temp\Guardian-Installer.exe" C:\Users\admin\AppData\Local\Temp\Guardian-Installer.exeexplorer.exe
User:
admin
Company:
Guardian
Integrity Level:
MEDIUM
Description:
Guardian Installer
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\guardian-installer.exe
c:\windows\system32\ntdll.dll
2872C:\Windows\system32\MsiExec.exe -Embedding E1DCA0A8D04E27C246C027378CD563D0 CC:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msiexec.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2944C:\Windows\system32\MsiExec.exe -Embedding 8154DCBB91CF5C64A303F87431F47B82 E Global\MSI0000C:\Windows\System32\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3100C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\vssvc.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3248C:\Windows\system32\cmd.exe /S /D /c" cls"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3328"C:\Users\admin\AppData\Local\Temp\Guardian-Installer.exe" C:\Users\admin\AppData\Local\Temp\Guardian-Installer.exe
explorer.exe
User:
admin
Company:
Guardian
Integrity Level:
HIGH
Description:
Guardian Installer
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\guardian-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
3428C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\{18220F0D-1F43-4436-B92A-0EF419F800B7}..bat" "C:\Windows\System32\cmd.exeGuardianUC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
23 351
Read events
23 196
Write events
142
Delete events
13

Modification events

(PID) Process:(3328) Guardian-Installer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3328) Guardian-Installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E
Operation:writeName:Blob
Value:
53000000010000004300000030413022060C2B06010401B231010201050130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C0190000000100000010000000EA6089055218053DD01E37E1D806EEDF620000000100000020000000E793C9B02FD8AA13E21C31228ACCB08119643B749C898964B1746D46C3D4CBD21400000001000000140000005379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB1D0000000100000010000000885010358D29A38F059B028559C95F900B00000001000000100000005300650063007400690067006F0000000300000001000000140000002B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E0F000000010000003000000066B764A96581128168CF208E374DDA479D54E311F32457F4AEE0DBD2A6C8D171D531289E1CD22BFDBBD4CFD979625483090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703082000000001000000E2050000308205DE308203C6A003020102021001FD6D30FCA3CA51A81BBC640E35032D300D06092A864886F70D01010C0500308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374205253412043657274696669636174696F6E20417574686F72697479301E170D3130303230313030303030305A170D3338303131383233353935395A308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374205253412043657274696669636174696F6E20417574686F7269747930820222300D06092A864886F70D01010105000382020F003082020A028202010080126517360EC3DB08B3D0AC570D76EDCD27D34CAD508361E2AA204D092D6409DCCE899FCC3DA9ECF6CFC1DCF1D3B1D67B3728112B47DA39C6BC3A19B45FA6BD7D9DA36342B676F2A93B2B91F8E26FD0EC162090093EE2E874C918B491D46264DB7FA306F188186A90223CBCFE13F087147BF6E41F8ED4E451C61167460851CB8614543FBC33FE7E6C9CFF169D18BD518E35A6A766C87267DB2166B1D49B7803C0503AE8CCF0DCBC9E4CFEAF0596351F575AB7FFCEF93DB72CB6F654DDC8E7123A4DAE4C8AB75C9AB4B7203DCA7F2234AE7E3B68660144E7014E46539B3360F794BE5337907343F332C353EFDBAAFE744E69C76B8C6093DEC4C70CDFE132AECC933B517895678BEE3D56FE0CD0690F1B0FF325266B336DF76E47FA7343E57E0EA566B1297C3284635589C40DC19354301913ACD37D37A7EB5D3A6C355CDB41D712DAA9490BDFD8808A0993628EB566CF2588CD84B8B13FA4390FD9029EEB124C957CF36B05A95E1683CCB867E2E8139DCC5B82D34CB3ED5BFFDEE573AC233B2D00BF3555740949D849581A7F9236E651920EF3267D1C4D17BCC9EC4326D0BF415F40A94444F499E757879E501F5754A83EFD74632FB1506509E658422E431A4CB4F0254759FA041E93D426464A5081B2DEBE78B7FC6715E1C957841E0F63D6E962BAD65F552EEA5CC62808042539B80E2BA9F24C971C073F0D52F5EDEF2F820F0203010001A3423040301D0603551D0E041604145379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF300D06092A864886F70D01010C050003820201005CD47C0DCFF7017D4199650C73C5529FCBF8CF99067F1BDA43159F9E0255579614F1523C27879428ED1F3A0137A276FC5350C0849BC66B4EBA8C214FA28E556291F36915D8BC88E3C4AA0BFDEFA8E94B552A06206D55782919EE5F305C4B241155FF249A6E5E2A2BEE0B4D9F7FF70138941495430709FB60A9EE1CAB128CA09A5EA7986A596D8B3F08FBC8D145AF18156490120F73282EC5E2244EFC58ECF0F445FE22B3EB2F8ED2D9456105C1976FA876728F8B8C36AFBF0D05CE718DE6A66F1F6CA67162C5D8D083720CF16711890C9C134C7234DFBCD571DFAA71DDE1B96C8C3C125D65DABD5712B6436BFFE5DE4D661151CF99AEEC17B6E871918CDE49FEDD3571A21527941CCF61E326BB6FA36725215DE6DD1D0B2E681B3B82AFEC836785D4985174B1B9998089FF7F78195C794A602E9240AE4C372A2CC9C762C80E5DF7365BCAE0252501B4DD1A079C77003FD0DCD5EC3DD4FABB3FCC85D66F7FA92DDFB902F7F5979AB535DAC367B0874AA9289E238EFF5C276BE1B04FF307EE002ED45987CB524195EAF447D7EE6441557C8D590295DD629DC2B9EE5A287484A59BB790C70C07DFF589367432D628C1B0B00BE09C4CC31CD6FCE369B54746812FA282ABD3634470C48DFF2D33BAAD8F7BB57088AE3E19CF4028D8FCC890BB5D9922F552E658C51F883143EE881DD7C68E3C436A1DA718DE7D3D16F162F9CA90A8FD
(PID) Process:(3328) Guardian-Installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E
Operation:writeName:Blob
Value:
0400000001000000100000001BFE69D191B71933A372A80FE155E5B5090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703080F000000010000003000000066B764A96581128168CF208E374DDA479D54E311F32457F4AEE0DBD2A6C8D171D531289E1CD22BFDBBD4CFD9796254830300000001000000140000002B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E0B00000001000000100000005300650063007400690067006F0000001D0000000100000010000000885010358D29A38F059B028559C95F901400000001000000140000005379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB620000000100000020000000E793C9B02FD8AA13E21C31228ACCB08119643B749C898964B1746D46C3D4CBD2190000000100000010000000EA6089055218053DD01E37E1D806EEDF53000000010000004300000030413022060C2B06010401B231010201050130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C02000000001000000E2050000308205DE308203C6A003020102021001FD6D30FCA3CA51A81BBC640E35032D300D06092A864886F70D01010C0500308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374205253412043657274696669636174696F6E20417574686F72697479301E170D3130303230313030303030305A170D3338303131383233353935395A308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374205253412043657274696669636174696F6E20417574686F7269747930820222300D06092A864886F70D01010105000382020F003082020A028202010080126517360EC3DB08B3D0AC570D76EDCD27D34CAD508361E2AA204D092D6409DCCE899FCC3DA9ECF6CFC1DCF1D3B1D67B3728112B47DA39C6BC3A19B45FA6BD7D9DA36342B676F2A93B2B91F8E26FD0EC162090093EE2E874C918B491D46264DB7FA306F188186A90223CBCFE13F087147BF6E41F8ED4E451C61167460851CB8614543FBC33FE7E6C9CFF169D18BD518E35A6A766C87267DB2166B1D49B7803C0503AE8CCF0DCBC9E4CFEAF0596351F575AB7FFCEF93DB72CB6F654DDC8E7123A4DAE4C8AB75C9AB4B7203DCA7F2234AE7E3B68660144E7014E46539B3360F794BE5337907343F332C353EFDBAAFE744E69C76B8C6093DEC4C70CDFE132AECC933B517895678BEE3D56FE0CD0690F1B0FF325266B336DF76E47FA7343E57E0EA566B1297C3284635589C40DC19354301913ACD37D37A7EB5D3A6C355CDB41D712DAA9490BDFD8808A0993628EB566CF2588CD84B8B13FA4390FD9029EEB124C957CF36B05A95E1683CCB867E2E8139DCC5B82D34CB3ED5BFFDEE573AC233B2D00BF3555740949D849581A7F9236E651920EF3267D1C4D17BCC9EC4326D0BF415F40A94444F499E757879E501F5754A83EFD74632FB1506509E658422E431A4CB4F0254759FA041E93D426464A5081B2DEBE78B7FC6715E1C957841E0F63D6E962BAD65F552EEA5CC62808042539B80E2BA9F24C971C073F0D52F5EDEF2F820F0203010001A3423040301D0603551D0E041604145379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF300D06092A864886F70D01010C050003820201005CD47C0DCFF7017D4199650C73C5529FCBF8CF99067F1BDA43159F9E0255579614F1523C27879428ED1F3A0137A276FC5350C0849BC66B4EBA8C214FA28E556291F36915D8BC88E3C4AA0BFDEFA8E94B552A06206D55782919EE5F305C4B241155FF249A6E5E2A2BEE0B4D9F7FF70138941495430709FB60A9EE1CAB128CA09A5EA7986A596D8B3F08FBC8D145AF18156490120F73282EC5E2244EFC58ECF0F445FE22B3EB2F8ED2D9456105C1976FA876728F8B8C36AFBF0D05CE718DE6A66F1F6CA67162C5D8D083720CF16711890C9C134C7234DFBCD571DFAA71DDE1B96C8C3C125D65DABD5712B6436BFFE5DE4D661151CF99AEEC17B6E871918CDE49FEDD3571A21527941CCF61E326BB6FA36725215DE6DD1D0B2E681B3B82AFEC836785D4985174B1B9998089FF7F78195C794A602E9240AE4C372A2CC9C762C80E5DF7365BCAE0252501B4DD1A079C77003FD0DCD5EC3DD4FABB3FCC85D66F7FA92DDFB902F7F5979AB535DAC367B0874AA9289E238EFF5C276BE1B04FF307EE002ED45987CB524195EAF447D7EE6441557C8D590295DD629DC2B9EE5A287484A59BB790C70C07DFF589367432D628C1B0B00BE09C4CC31CD6FCE369B54746812FA282ABD3634470C48DFF2D33BAAD8F7BB57088AE3E19CF4028D8FCC890BB5D9922F552E658C51F883143EE881DD7C68E3C436A1DA718DE7D3D16F162F9CA90A8FD
(PID) Process:(3328) Guardian-Installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349
Operation:writeName:Blob
Value:
53000000010000004300000030413022060C2B06010401B231010201050130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C01900000001000000100000002AA1C05E2AE606F198C2C5E937C97AA2620000000100000020000000D7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF40B000000010000001C0000005300650063007400690067006F002000280041004100410029000000140000000100000014000000A0110A233E96F107ECE2AF29EF82A57FD030A4B41D00000001000000100000002E0D6875874A44C820912E85E964CFDB030000000100000014000000D1EB23A46D17D68FD92564C2F1F1601764D8E3490F00000001000000140000003E8E6487F8FD27D322A269A71EDAAC5D57811286090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B06010505070308200000000100000036040000308204323082031AA003020102020101300D06092A864886F70D0101050500307B310B3009060355040613024742311B301906035504080C1247726561746572204D616E636865737465723110300E06035504070C0753616C666F7264311A3018060355040A0C11436F6D6F646F204341204C696D697465643121301F06035504030C18414141204365727469666963617465205365727669636573301E170D3034303130313030303030305A170D3238313233313233353935395A307B310B3009060355040613024742311B301906035504080C1247726561746572204D616E636865737465723110300E06035504070C0753616C666F7264311A3018060355040A0C11436F6D6F646F204341204C696D697465643121301F06035504030C1841414120436572746966696361746520536572766963657330820122300D06092A864886F70D01010105000382010F003082010A0282010100BE409DF46EE1EA76871C4D45448EBE46C883069DC12AFE181F8EE402FAF3AB5D508A16310B9A06D0C57022CD492D5463CCB66E68460B53EACB4C24C0BC724EEAF115AEF4549A120AC37AB23360E2DA8955F32258F3DEDCCFEF8386A28C944F9F68F29890468427C776BFE3CC352C8B5E07646582C048B0A891F9619F762050A891C766B5EB78620356F08A1A13EA31A31EA099FD38F6F62732586F07F56BB8FB142BAFB7AACCD6635F738CDA0599A838A8CB17783651ACE99EF4783A8DCF0FD942E2980CAB2F9F0E01DEEF9F9949F12DDFAC744D1B98B547C5E529D1F99018C7629CBE83C7267B3E8A25C7C0DD9DE6356810209D8FD8DED2C3849C0D5EE82FC90203010001A381C03081BD301D0603551D0E04160414A0110A233E96F107ECE2AF29EF82A57FD030A4B4300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF307B0603551D1F047430723038A036A0348632687474703A2F2F63726C2E636F6D6F646F63612E636F6D2F414141436572746966696361746553657276696365732E63726C3036A034A0328630687474703A2F2F63726C2E636F6D6F646F2E6E65742F414141436572746966696361746553657276696365732E63726C300D06092A864886F70D010105050003820101000856FC02F09BE8FFA4FAD67BC64480CE4FC4C5F60058CCA6B6BC1449680476E8E6EE5DEC020F60D68D50184F264E01E3E6B0A5EEBFBC745441BFFDFC12B8C74F5AF48960057F60B7054AF3F6F1C2BFC4B97486B62D7D6BCCD2F346DD2FC6E06AC3C334032C7D96DD5AC20EA70A99C1058BAB0C2FF35C3ACF6C37550987DE53406C58EFFCB6AB656E04F61BDC3CE05A15C69ED9F15948302165036CECE92173EC9B03A1E037ADA015188FFABA02CEA72CA910132CD4E50826AB229760F8905E74D4A29A53BDF2A968E0A26EC2D76CB1A30F9EBFEB68E756F2AEF2E32B383A0981B56B85D7BE2DED3F1AB7B263E2F5622C82D46A004150F139839F95E93696986E
(PID) Process:(3328) Guardian-Installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349
Operation:writeName:Blob
Value:
040000000100000010000000497904B0EB8719AC47B0BC11519B74D0090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703080F00000001000000140000003E8E6487F8FD27D322A269A71EDAAC5D57811286030000000100000014000000D1EB23A46D17D68FD92564C2F1F1601764D8E3491D00000001000000100000002E0D6875874A44C820912E85E964CFDB140000000100000014000000A0110A233E96F107ECE2AF29EF82A57FD030A4B40B000000010000001C0000005300650063007400690067006F002000280041004100410029000000620000000100000020000000D7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF41900000001000000100000002AA1C05E2AE606F198C2C5E937C97AA253000000010000004300000030413022060C2B06010401B231010201050130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C0200000000100000036040000308204323082031AA003020102020101300D06092A864886F70D0101050500307B310B3009060355040613024742311B301906035504080C1247726561746572204D616E636865737465723110300E06035504070C0753616C666F7264311A3018060355040A0C11436F6D6F646F204341204C696D697465643121301F06035504030C18414141204365727469666963617465205365727669636573301E170D3034303130313030303030305A170D3238313233313233353935395A307B310B3009060355040613024742311B301906035504080C1247726561746572204D616E636865737465723110300E06035504070C0753616C666F7264311A3018060355040A0C11436F6D6F646F204341204C696D697465643121301F06035504030C1841414120436572746966696361746520536572766963657330820122300D06092A864886F70D01010105000382010F003082010A0282010100BE409DF46EE1EA76871C4D45448EBE46C883069DC12AFE181F8EE402FAF3AB5D508A16310B9A06D0C57022CD492D5463CCB66E68460B53EACB4C24C0BC724EEAF115AEF4549A120AC37AB23360E2DA8955F32258F3DEDCCFEF8386A28C944F9F68F29890468427C776BFE3CC352C8B5E07646582C048B0A891F9619F762050A891C766B5EB78620356F08A1A13EA31A31EA099FD38F6F62732586F07F56BB8FB142BAFB7AACCD6635F738CDA0599A838A8CB17783651ACE99EF4783A8DCF0FD942E2980CAB2F9F0E01DEEF9F9949F12DDFAC744D1B98B547C5E529D1F99018C7629CBE83C7267B3E8A25C7C0DD9DE6356810209D8FD8DED2C3849C0D5EE82FC90203010001A381C03081BD301D0603551D0E04160414A0110A233E96F107ECE2AF29EF82A57FD030A4B4300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF307B0603551D1F047430723038A036A0348632687474703A2F2F63726C2E636F6D6F646F63612E636F6D2F414141436572746966696361746553657276696365732E63726C3036A034A0328630687474703A2F2F63726C2E636F6D6F646F2E6E65742F414141436572746966696361746553657276696365732E63726C300D06092A864886F70D010105050003820101000856FC02F09BE8FFA4FAD67BC64480CE4FC4C5F60058CCA6B6BC1449680476E8E6EE5DEC020F60D68D50184F264E01E3E6B0A5EEBFBC745441BFFDFC12B8C74F5AF48960057F60B7054AF3F6F1C2BFC4B97486B62D7D6BCCD2F346DD2FC6E06AC3C334032C7D96DD5AC20EA70A99C1058BAB0C2FF35C3ACF6C37550987DE53406C58EFFCB6AB656E04F61BDC3CE05A15C69ED9F15948302165036CECE92173EC9B03A1E037ADA015188FFABA02CEA72CA910132CD4E50826AB229760F8905E74D4A29A53BDF2A968E0A26EC2D76CB1A30F9EBFEB68E756F2AEF2E32B383A0981B56B85D7BE2DED3F1AB7B263E2F5622C82D46A004150F139839F95E93696986E
(PID) Process:(3328) Guardian-Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3328) Guardian-Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3328) Guardian-Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3328) Guardian-Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4028) Guardian-Installer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
20
Suspicious files
16
Text files
21
Unknown types
0

Dropped files

PID
Process
Filename
Type
3328Guardian-Installer.exeC:\Users\admin\AppData\Roaming\Guardian\Guardian 1.0.0.0\install\Guardian Anti Cheat.back2088dddddd.back.msi
MD5:
SHA256:
3328Guardian-Installer.exeC:\Users\admin\AppData\Local\Temp\MSI7412.tmpexecutable
MD5:A9941233B9415B479D3B4F3732161EAB
SHA256:CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
3328Guardian-Installer.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_3328\repairicimage
MD5:915E40A576FA41DC5F8486103341673E
SHA256:BF21B2BC3E7253968405F3D244CDB1C136672A5BDB088B524A333264898A2D11
3328Guardian-Installer.exeC:\Users\admin\AppData\Local\Temp\MSI752E.tmpexecutable
MD5:A9941233B9415B479D3B4F3732161EAB
SHA256:CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
3328Guardian-Installer.exeC:\Users\admin\AppData\Local\Temp\MSI750E.tmpexecutable
MD5:A9941233B9415B479D3B4F3732161EAB
SHA256:CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
3328Guardian-Installer.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_3328\grn1.png
MD5:
SHA256:
3328Guardian-Installer.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_3328\custiconimage
MD5:BE6D2F48AA6634FB2101C273C798D4D9
SHA256:0E22BC2BF7184DFDB55223A11439304A453FB3574E3C9034A6497AF405C628EF
3328Guardian-Installer.exeC:\Users\admin\AppData\Roaming\Guardian\Guardian 1.0.0.0\install\holder0.aiphbinary
MD5:7F3B69E8ACE5880B7A41AC11998CA042
SHA256:B8D0953E80CA89E27669D48A46E8B24619C3F885082F5D942038677B68793F70
3328Guardian-Installer.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_3328\removicoimage
MD5:1FFFE5C3CC990D0C012A428A59B2AE46
SHA256:45791627AE8E67E6B616117CF21F04DA381722FAF08D07C0C25E0F28C9B8F82B
3328Guardian-Installer.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_3328\completiimage
MD5:C23AF89757665BC0386FD798A61B2112
SHA256:031ED0378F819926D7B5B2C6C9367A0FB1CBAE40E1A3959E2652FE30A47D52F2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
9
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3500
GuardianUC.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA3g%2F7XuYsthEJ9gjJztXtM%3D
US
binary
471 b
whitelisted
3500
GuardianUC.exe
GET
200
67.26.137.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9d8e3f290b5ae3b3
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2640
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
3500
GuardianUC.exe
217.160.0.240:443
guardiananticheat.com
IONOS SE
DE
malicious
3500
GuardianUC.exe
67.26.137.254:80
ctldl.windowsupdate.com
LEVEL3
US
malicious
3500
GuardianUC.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2016
GuardianUC.exe
217.160.0.240:443
guardiananticheat.com
IONOS SE
DE
malicious
1088
svchost.exe
67.26.137.254:80
ctldl.windowsupdate.com
LEVEL3
US
malicious

DNS requests

Domain
IP
Reputation
guardiananticheat.com
  • 217.160.0.240
unknown
ctldl.windowsupdate.com
  • 67.26.137.254
  • 67.27.158.254
  • 8.241.122.126
  • 8.253.95.120
  • 67.26.139.254
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

No threats detected
Process
Message
GuardianUC.exe
Logger::SetLogFile( C:\Program Files (x86)\\Guardian\updater.log ) while OLD path is:
GuardianUC.exe
Logger::SetLogFile( C:\Program Files (x86)\\Guardian\updater.log ) while OLD path is:
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Guardian-Installer.exe