Malware Analysis Report

2025-08-06 00:52

Sample ID 230430-zt81dsba98
Target GOG_Galaxy_2.0.exe
SHA256 3a19fd486163e03d64d375cc71897e833b9f86a2f3935c8578c277eb6227a49a
Tags
upx lumma discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a19fd486163e03d64d375cc71897e833b9f86a2f3935c8578c277eb6227a49a

Threat Level: Known bad

The file GOG_Galaxy_2.0.exe was found to be: Known bad.

Malicious Activity Summary

upx lumma discovery evasion persistence stealer trojan

Lumma Stealer

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

UPX packed file

Loads dropped DLL

Checks installed software on the system

Checks whether UAC is enabled

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-30 21:01

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-30 21:01

Reported

2023-04-30 21:06

Platform

win7-20230220-en

Max time kernel

156s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe"

Signatures

Lumma Stealer

stealer lumma

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxySetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x86.exe N/A
N/A N/A C:\Windows\Temp\{36796B17-F1A6-4C9B-88BC-471F1782FE8C}\.cr\VC_redist.x86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x64.exe N/A
N/A N/A C:\Windows\system32\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\GalaxyClient C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\GogGalaxy = "C:\\Program Files (x86)\\GOG Galaxy\\GalaxyClient.exe /launchViaAutoStart" C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\GOG Galaxy\web\images\cp2077\is-QRRLE.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\web\images\cp2077\is-QOD20.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\web\images\gogGalaxyLogo\is-C1PPC.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\web\src\images\is-MJDJM.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\attr\is-GO68R.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\aiohttp\is-N9EIF.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\galaxy\is-AUKOD.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\web\angularLocales\is-0UP1T.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\galaxy\unittest\is-JD7FQ.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\chardet\is-2EN0F.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\locales\is-KU8G4.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\web\images\gameImgPlaceholders\is-05OUH.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\is-P1OGQ.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\attr\is-82HHV.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\python\is-5OSL6.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\multidict\is-S26KB.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\chardet\is-IAR4C.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\aiohttp\is-GMDOT.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\web\locales\is-DL5EV.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\aiohttp\is-LN9IH.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\chardet\is-CBTV4.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\galaxy\api\is-00T48.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\Icons\is-UP5O1.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\Icons\is-UMQHP.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\web\images\discover\welcomeOfferCovers\is-NRGGS.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\web\locales\ko-KR\is-507KJ.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\web\src\images\is-2GQDF.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\chardet\is-6H6KM.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\licences\LatoWeb Font\is-N4Q5J.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\web\images\gameImgPlaceholders\is-NAHKJ.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\is-L91OU.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\.hash\is-NTFCT.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\aiohttp\is-BQI1B.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\is-E0IJ1.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\web\is-3BSRM.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\web\images\gameImgPlaceholders\is-P19NF.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\web\images\gameImgPlaceholders\is-C819P.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\is-3QJ50.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\yarl\is-KSSM9.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\locales\is-EIOCL.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\python\is-6FHG3.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\dateutil\zoneinfo\is-VU3SF.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\web\locales\pl-PL\is-893LT.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\web\locales\fr-FR\is-CJ336.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\multidict\is-E5TJN.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File opened for modification C:\Program Files (x86)\GOG Galaxy\python\libssl-1_1.dll C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\python\is-H9R87.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\is-O7HDI.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\is-6QTSE.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\aiohttp\is-VLA2I.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\imageformats\is-14PFQ.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\imageformats\is-HHI0E.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\swiftshader\is-EU80L.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\web\images\cp2077\is-9UNK7.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\.hash\is-BP7SN.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\aiohttp\is-S6TPS.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\.hash\is-13EQM.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\styles\is-969P5.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\web\images\cp2077\is-IFKLP.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\web\images\cp2077\is-H071A.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\chardet\is-CHRKS.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\.hash\is-08J77.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\idna\is-913PL.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\dateutil\is-N51S2.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\is-9GGV3.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Windows\Fonts\is-CVUIE.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Windows\Fonts\is-5PDND.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Windows\Fonts\is-07S2A.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Windows\Fonts\is-NHV0A.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Windows\Fonts\is-PRKHG.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Windows\Fonts\is-03AFM.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A
File created C:\Windows\Fonts\is-REJFS.tmp C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxyInstaller.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe N/A
N/A N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxyInstaller.exe
PID 1740 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxyInstaller.exe
PID 1740 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxyInstaller.exe
PID 1740 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxyInstaller.exe
PID 736 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxyInstaller.exe C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxySetup.exe
PID 736 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxyInstaller.exe C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxySetup.exe
PID 736 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxyInstaller.exe C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxySetup.exe
PID 736 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxyInstaller.exe C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxySetup.exe
PID 736 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxyInstaller.exe C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxySetup.exe
PID 736 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxyInstaller.exe C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxySetup.exe
PID 736 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxyInstaller.exe C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxySetup.exe
PID 824 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxySetup.exe C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp
PID 824 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxySetup.exe C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp
PID 824 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxySetup.exe C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp
PID 824 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxySetup.exe C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp
PID 824 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxySetup.exe C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp
PID 824 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxySetup.exe C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp
PID 824 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxySetup.exe C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp
PID 1416 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x86.exe
PID 1416 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x86.exe
PID 1416 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x86.exe
PID 1416 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x86.exe
PID 1416 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x86.exe
PID 1416 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x86.exe
PID 1416 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x86.exe
PID 748 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x86.exe C:\Windows\Temp\{36796B17-F1A6-4C9B-88BC-471F1782FE8C}\.cr\VC_redist.x86.exe
PID 748 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x86.exe C:\Windows\Temp\{36796B17-F1A6-4C9B-88BC-471F1782FE8C}\.cr\VC_redist.x86.exe
PID 748 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x86.exe C:\Windows\Temp\{36796B17-F1A6-4C9B-88BC-471F1782FE8C}\.cr\VC_redist.x86.exe
PID 748 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x86.exe C:\Windows\Temp\{36796B17-F1A6-4C9B-88BC-471F1782FE8C}\.cr\VC_redist.x86.exe
PID 748 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x86.exe C:\Windows\Temp\{36796B17-F1A6-4C9B-88BC-471F1782FE8C}\.cr\VC_redist.x86.exe
PID 748 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x86.exe C:\Windows\Temp\{36796B17-F1A6-4C9B-88BC-471F1782FE8C}\.cr\VC_redist.x86.exe
PID 748 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x86.exe C:\Windows\Temp\{36796B17-F1A6-4C9B-88BC-471F1782FE8C}\.cr\VC_redist.x86.exe
PID 1416 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x64.exe
PID 1416 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x64.exe
PID 1416 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x64.exe
PID 1416 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x64.exe
PID 1416 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x64.exe
PID 1416 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x64.exe
PID 1416 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x64.exe
PID 1052 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x64.exe C:\Windows\system32\DllHost.exe
PID 1052 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x64.exe C:\Windows\system32\DllHost.exe
PID 1052 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x64.exe C:\Windows\system32\DllHost.exe
PID 1052 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x64.exe C:\Windows\system32\DllHost.exe
PID 1052 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x64.exe C:\Windows\system32\DllHost.exe
PID 1052 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x64.exe C:\Windows\system32\DllHost.exe
PID 1052 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x64.exe C:\Windows\system32\DllHost.exe
PID 1416 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe
PID 1416 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe
PID 1416 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe
PID 1416 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe
PID 268 wrote to memory of 2324 N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe C:\Windows\SysWOW64\WerFault.exe
PID 268 wrote to memory of 2324 N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe C:\Windows\SysWOW64\WerFault.exe
PID 268 wrote to memory of 2324 N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe C:\Windows\SysWOW64\WerFault.exe
PID 268 wrote to memory of 2324 N/A C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe

"C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe"

C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxyInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxyInstaller.exe"

C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxySetup.exe

"C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxySetup.exe" /lang=en_US /campaign="eyJjYW1wYWlnbiI6eyJvcmlnaW4iOiJodHRwOi8vZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QvZW4vP2VtYmVkZGFibGU9dHJ1ZSIsIm9yaWdpbl91c2VyX2FnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExMS4wLjAuMCBTYWZhcmkvNTM3LjM2IE9QUi85Ny4wLjAuMCIsInVuaXF1ZV9pZCI6IjE2ODI4ODgwOTctODNlRGdJbC9KZW1oeW1QZ1l4SDBEQT09In0sImxvZ2luX3BhcmFtZXRlcnMiOiJvcmlnaW49aHR0cCUzQSUyRiUyRmdhbGF4eTItc2lnbnVwLmdvZy5wcm9kJTJGZW4lMkYlM0ZlbWJlZGRhYmxlJTNEdHJ1ZSZvcmlnaW5fdXNlcl9hZ2VudD1Nb3ppbGxhJTJGNS4wKyUyOFdpbmRvd3MrTlQrMTAuMCUzQitXaW42NCUzQit4NjQlMjkrQXBwbGVXZWJLaXQlMkY1MzcuMzYrJTI4S0hUTUwlMkMrbGlrZStHZWNrbyUyOStDaHJvbWUlMkYxMTEuMC4wLjArU2FmYXJpJTJGNTM3LjM2K09QUiUyRjk3LjAuMC4wJnVuaXF1ZV9pZD0xNjgyODg4MDk3LTgzZURnSWwlMkZKZW1oeW1QZ1l4SDBEQSUzRCUzRCJ9"

C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp" /SL5="$1016C,272048901,1268224,C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxySetup.exe" /lang=en_US /campaign="eyJjYW1wYWlnbiI6eyJvcmlnaW4iOiJodHRwOi8vZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QvZW4vP2VtYmVkZGFibGU9dHJ1ZSIsIm9yaWdpbl91c2VyX2FnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExMS4wLjAuMCBTYWZhcmkvNTM3LjM2IE9QUi85Ny4wLjAuMCIsInVuaXF1ZV9pZCI6IjE2ODI4ODgwOTctODNlRGdJbC9KZW1oeW1QZ1l4SDBEQT09In0sImxvZ2luX3BhcmFtZXRlcnMiOiJvcmlnaW49aHR0cCUzQSUyRiUyRmdhbGF4eTItc2lnbnVwLmdvZy5wcm9kJTJGZW4lMkYlM0ZlbWJlZGRhYmxlJTNEdHJ1ZSZvcmlnaW5fdXNlcl9hZ2VudD1Nb3ppbGxhJTJGNS4wKyUyOFdpbmRvd3MrTlQrMTAuMCUzQitXaW42NCUzQit4NjQlMjkrQXBwbGVXZWJLaXQlMkY1MzcuMzYrJTI4S0hUTUwlMkMrbGlrZStHZWNrbyUyOStDaHJvbWUlMkYxMTEuMC4wLjArU2FmYXJpJTJGNTM3LjM2K09QUiUyRjk3LjAuMC4wJnVuaXF1ZV9pZD0xNjgyODg4MDk3LTgzZURnSWwlMkZKZW1oeW1QZ1l4SDBEQSUzRCUzRCJ9"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RemoveUnlock.TTS"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RemoveUnlock.TTS"

C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x86.exe

"C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x86.exe" /install /quiet /norestart

C:\Windows\Temp\{36796B17-F1A6-4C9B-88BC-471F1782FE8C}\.cr\VC_redist.x86.exe

"C:\Windows\Temp\{36796B17-F1A6-4C9B-88BC-471F1782FE8C}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x86.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /install /quiet /norestart

C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x64.exe

"C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x64.exe" /install /quiet /norestart

C:\Windows\Temp\{9667C29B-97F6-4202-89E5-2BD1D2048E19}\.cr\VC_redist.x64.exe

"C:\Windows\Temp\{9667C29B-97F6-4202-89E5-2BD1D2048E19}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /install /quiet /norestart

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe

"C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe" /firstRun /installationSource=usedefault /payload=eyJjYW1wYWlnbiI6eyJvcmlnaW4iOiJodHRwOi8vZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QvZW4vP2VtYmVkZGFibGU9dHJ1ZSIsIm9yaWdpbl91c2VyX2FnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExMS4wLjAuMCBTYWZhcmkvNTM3LjM2IE9QUi85Ny4wLjAuMCIsInVuaXF1ZV9pZCI6IjE2ODI4ODgwOTctODNlRGdJbC9KZW1oeW1QZ1l4SDBEQT09In0sImxvZ2luX3BhcmFtZXRlcnMiOiJvcmlnaW49aHR0cCUzQSUyRiUyRmdhbGF4eTItc2lnbnVwLmdvZy5wcm9kJTJGZW4lMkYlM0ZlbWJlZGRhYmxlJTNEdHJ1ZSZvcmlnaW5fdXNlcl9hZ2VudD1Nb3ppbGxhJTJGNS4wKyUyOFdpbmRvd3MrTlQrMTAuMCUzQitXaW42NCUzQit4NjQlMjkrQXBwbGVXZWJLaXQlMkY1MzcuMzYrJTI4S0hUTUwlMkMrbGlrZStHZWNrbyUyOStDaHJvbWUlMkYxMTEuMC4wLjArU2FmYXJpJTJGNTM3LjM2K09QUiUyRjk3LjAuMC4wJnVuaXF1ZV9pZD0xNjgyODg4MDk3LTgzZURnSWwlMkZKZW1oeW1QZ1l4SDBEQSUzRCUzRCJ9

C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe

"C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 268 -s 584

Network

Country Destination Domain Proto
US 8.8.8.8:53 remote-config.gog.com udp
NL 23.72.252.176:443 remote-config.gog.com tcp
US 8.8.8.8:53 insights-collector.gog.com udp
NL 23.72.252.122:443 insights-collector.gog.com tcp
US 8.8.8.8:53 content-system.gog.com udp
NL 23.72.252.168:443 content-system.gog.com tcp
US 8.8.8.8:53 gog-cdn-lumen.secure2.footprint.net udp
SG 8.241.159.140:443 gog-cdn-lumen.secure2.footprint.net tcp
US 8.8.8.8:53 insights-collector.gog.com udp
NL 23.72.252.129:443 insights-collector.gog.com tcp
US 8.8.8.8:53 www.microsoft.com udp
N/A 127.0.0.1:9978 tcp
N/A 127.0.0.1:51677 tcp

Files

memory/1740-54-0x0000000000400000-0x0000000000641000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\remoteconfig.json

MD5 77f0ebc2ec5ecd47916207bf510904e2
SHA1 514dd58f5379932360f32dfa41d5706c0bf56076
SHA256 c6a6618fa0bb69a977b8e5e6985fed76575e8671015f53f6bf3c21e2707917c1
SHA512 0d3fedfc364961872e605dcab3865172636a4fa9b6b5e4897c11dc342cff108551589eb2f88f2653ac0e1d4306600642217ccb0b6ed0cbaa6d147d264aacadb5

\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxyInstaller.exe

MD5 26d02cc778b804689bda1aafa9a76fb1
SHA1 5452c96593478f59471730366c682da19881051d
SHA256 61eadf4a0bb3710671f5b6f1db10c522a2d0a07177d3b79eb844d7f69d8f8635
SHA512 047ecfb6df19e39579dd2a7359fec312f4dcf2293e9e4f232a22acd37a3c22707ecbf53d6ed0fe44989b8a52502fd43f525e20b85b83f29223205ade6a7aee90

\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxyInstaller.exe

MD5 26d02cc778b804689bda1aafa9a76fb1
SHA1 5452c96593478f59471730366c682da19881051d
SHA256 61eadf4a0bb3710671f5b6f1db10c522a2d0a07177d3b79eb844d7f69d8f8635
SHA512 047ecfb6df19e39579dd2a7359fec312f4dcf2293e9e4f232a22acd37a3c22707ecbf53d6ed0fe44989b8a52502fd43f525e20b85b83f29223205ade6a7aee90

\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxyInstaller.exe

MD5 26d02cc778b804689bda1aafa9a76fb1
SHA1 5452c96593478f59471730366c682da19881051d
SHA256 61eadf4a0bb3710671f5b6f1db10c522a2d0a07177d3b79eb844d7f69d8f8635
SHA512 047ecfb6df19e39579dd2a7359fec312f4dcf2293e9e4f232a22acd37a3c22707ecbf53d6ed0fe44989b8a52502fd43f525e20b85b83f29223205ade6a7aee90

\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxyInstaller.exe

MD5 26d02cc778b804689bda1aafa9a76fb1
SHA1 5452c96593478f59471730366c682da19881051d
SHA256 61eadf4a0bb3710671f5b6f1db10c522a2d0a07177d3b79eb844d7f69d8f8635
SHA512 047ecfb6df19e39579dd2a7359fec312f4dcf2293e9e4f232a22acd37a3c22707ecbf53d6ed0fe44989b8a52502fd43f525e20b85b83f29223205ade6a7aee90

C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxyInstaller.exe

MD5 26d02cc778b804689bda1aafa9a76fb1
SHA1 5452c96593478f59471730366c682da19881051d
SHA256 61eadf4a0bb3710671f5b6f1db10c522a2d0a07177d3b79eb844d7f69d8f8635
SHA512 047ecfb6df19e39579dd2a7359fec312f4dcf2293e9e4f232a22acd37a3c22707ecbf53d6ed0fe44989b8a52502fd43f525e20b85b83f29223205ade6a7aee90

memory/736-80-0x0000000000B50000-0x0000000000BE0000-memory.dmp

memory/736-81-0x000000001A8E0000-0x000000001A960000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\icon.ico

MD5 391cf634b3ccf3971811be5ef016fe32
SHA1 8e3023466d02dfb8f2e1b48555b998532dc9a377
SHA256 de9a2072df66c11af8cc255788c4c572f7b45ba7ab19524ad2e01a23f55e9ca8
SHA512 c1594a33efcfac7c6e6935e76ed030855886453b6397ba53a63225efbeb513a1ccb39ea7d528cc43bb1e2b56fd0e02b306e0e65dc6896613c2b4ca6c4a165d9a

C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\payload.campaign

MD5 0069f49d053b0b56ef449c4cc8b861f9
SHA1 fdbe0f50827c022017f17be3db3afd986228e266
SHA256 72211501de8490d22aa4ec45710737ca980624fd31563b400b497534e3a36599
SHA512 7b35f3ae4505e10fc554e063d3220493d657aea511bd632465db9d344e4ddffaaef0fe13c802c892fcf7e3df1281a11d6f369de9ba5787e84292de3ecd3208fb

C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\remoteconfig.json

MD5 77f0ebc2ec5ecd47916207bf510904e2
SHA1 514dd58f5379932360f32dfa41d5706c0bf56076
SHA256 c6a6618fa0bb69a977b8e5e6985fed76575e8671015f53f6bf3c21e2707917c1
SHA512 0d3fedfc364961872e605dcab3865172636a4fa9b6b5e4897c11dc342cff108551589eb2f88f2653ac0e1d4306600642217ccb0b6ed0cbaa6d147d264aacadb5

memory/736-97-0x000000001A8E0000-0x000000001A960000-memory.dmp

memory/736-99-0x000000001A8E0000-0x000000001A960000-memory.dmp

memory/736-100-0x000000001A8E0000-0x000000001A960000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxySetup.exe

MD5 b60970dfb43bbee8f7dd8f785b06e513
SHA1 ff3f3ef0c44ffa4120b2f30023573c57dec4d71e
SHA256 793227a3a9a7e30a80d7d2f623ffa0d68c63c9ea2fd0f0e8fbe1d9adbbbae0d6
SHA512 98601a93b6df844a315c2d45429aef54640948ceafa75e3e19d46aa490aa4bac5fb07d3974840e929f256f25b86c9e751546a7ac4c11e09c36516d7f42a555af

C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxySetup.exe

MD5 b60970dfb43bbee8f7dd8f785b06e513
SHA1 ff3f3ef0c44ffa4120b2f30023573c57dec4d71e
SHA256 793227a3a9a7e30a80d7d2f623ffa0d68c63c9ea2fd0f0e8fbe1d9adbbbae0d6
SHA512 98601a93b6df844a315c2d45429aef54640948ceafa75e3e19d46aa490aa4bac5fb07d3974840e929f256f25b86c9e751546a7ac4c11e09c36516d7f42a555af

memory/824-113-0x0000000000400000-0x0000000000543000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_VQXNW\GalaxySetup.exe

MD5 b60970dfb43bbee8f7dd8f785b06e513
SHA1 ff3f3ef0c44ffa4120b2f30023573c57dec4d71e
SHA256 793227a3a9a7e30a80d7d2f623ffa0d68c63c9ea2fd0f0e8fbe1d9adbbbae0d6
SHA512 98601a93b6df844a315c2d45429aef54640948ceafa75e3e19d46aa490aa4bac5fb07d3974840e929f256f25b86c9e751546a7ac4c11e09c36516d7f42a555af

\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp

MD5 ebda4a669acd86def15d9389e3c408ff
SHA1 88c7f3cdccb377397fa295efd5dbf5af3c5d1bdd
SHA256 399092911144baf021d14ccd882ad8ab8d312e579b8e11fbac1dfb16e72c5740
SHA512 9a406d7fb6827bd992baf4c1c26a84187dafa89dd1afce51f97953c5f4f29319021043f860ddd1d94346265fcec8663581112af9455b0da1dd3a75da6102105a

C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp

MD5 ebda4a669acd86def15d9389e3c408ff
SHA1 88c7f3cdccb377397fa295efd5dbf5af3c5d1bdd
SHA256 399092911144baf021d14ccd882ad8ab8d312e579b8e11fbac1dfb16e72c5740
SHA512 9a406d7fb6827bd992baf4c1c26a84187dafa89dd1afce51f97953c5f4f29319021043f860ddd1d94346265fcec8663581112af9455b0da1dd3a75da6102105a

memory/1416-124-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\_isetup\_isdecmp.dll

MD5 077cb4461a2767383b317eb0c50f5f13
SHA1 584e64f1d162398b7f377ce55a6b5740379c4282
SHA256 8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64
SHA512 b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

memory/824-130-0x0000000000400000-0x0000000000543000-memory.dmp

memory/1416-131-0x0000000000400000-0x0000000000765000-memory.dmp

memory/1416-134-0x0000000000400000-0x0000000000765000-memory.dmp

memory/1416-135-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1416-138-0x0000000000400000-0x0000000000765000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-V8DIT.tmp\GalaxySetup.tmp

MD5 ebda4a669acd86def15d9389e3c408ff
SHA1 88c7f3cdccb377397fa295efd5dbf5af3c5d1bdd
SHA256 399092911144baf021d14ccd882ad8ab8d312e579b8e11fbac1dfb16e72c5740
SHA512 9a406d7fb6827bd992baf4c1c26a84187dafa89dd1afce51f97953c5f4f29319021043f860ddd1d94346265fcec8663581112af9455b0da1dd3a75da6102105a

C:\Program Files (x86)\GOG Galaxy\unins000.exe

MD5 ebda4a669acd86def15d9389e3c408ff
SHA1 88c7f3cdccb377397fa295efd5dbf5af3c5d1bdd
SHA256 399092911144baf021d14ccd882ad8ab8d312e579b8e11fbac1dfb16e72c5740
SHA512 9a406d7fb6827bd992baf4c1c26a84187dafa89dd1afce51f97953c5f4f29319021043f860ddd1d94346265fcec8663581112af9455b0da1dd3a75da6102105a

memory/1416-200-0x0000000000400000-0x0000000000765000-memory.dmp

memory/1524-206-0x000000013F160000-0x000000013F258000-memory.dmp

memory/1736-209-0x000000013F160000-0x000000013F258000-memory.dmp

memory/1524-216-0x000007FEF6320000-0x000007FEF6354000-memory.dmp

memory/1736-224-0x000007FEF6320000-0x000007FEF6354000-memory.dmp

C:\Program Files (x86)\GOG Galaxy\web\is-S9HM2.tmp

MD5 633860092d5763dbb1b4ed0837429ab0
SHA1 adfa76664ec6be58629ca8d58c73ae80277cf076
SHA256 272ca2a34d1a03ee9b22f78c8f101daa5aee84bf8851956380f7c31b04e7ffab
SHA512 78312f12cf247190fb3f2ada10bc7c74ab0b2aacb73236431a29ead85ecafb7b1e0a66ef859c3492880624cc70d6c647e8b883a445c1591042dc3729b178fd2a

memory/1524-240-0x000007FEEEBC0000-0x000007FEEEE74000-memory.dmp

memory/1736-249-0x000007FEEEBC0000-0x000007FEEEE74000-memory.dmp

memory/1524-589-0x000007FEFA990000-0x000007FEFA9A8000-memory.dmp

memory/1736-598-0x000007FEFA990000-0x000007FEFA9A8000-memory.dmp

memory/1524-621-0x000007FEF6FE0000-0x000007FEF6FF7000-memory.dmp

memory/1736-624-0x000007FEF6FE0000-0x000007FEF6FF7000-memory.dmp

memory/1524-643-0x000007FEF66E0000-0x000007FEF66F1000-memory.dmp

memory/1736-646-0x000007FEF66E0000-0x000007FEF66F1000-memory.dmp

memory/1524-659-0x000007FEF62C0000-0x000007FEF62D7000-memory.dmp

memory/1416-706-0x0000000000400000-0x0000000000765000-memory.dmp

memory/1524-709-0x000007FEEEBC0000-0x000007FEEEE74000-memory.dmp

C:\Program Files (x86)\GOG Galaxy\web\locales\pt-PT\is-MF4GD.tmp

MD5 bf804964f529597485b5aa66f76656d8
SHA1 1625addc939cf41ad6677ed2330da32d656d3496
SHA256 4b09dfb390e8e522d12861d0f5e22462658bdacaceaee67bc5132228f9e802d0
SHA512 6c9009c448830cd678be6d6edc28ee5e936ce25ff100c93df66ad24a8f93fc21739ffe80e27d94f400736cf76ae7735ddb7568ffa68ae23a0f566396eb6c4413

memory/1524-730-0x000007FEEF410000-0x000007FEEF421000-memory.dmp

memory/1524-735-0x000007FEEF3F0000-0x000007FEEF40D000-memory.dmp

memory/1524-738-0x000007FEEF3D0000-0x000007FEEF3E1000-memory.dmp

memory/1524-739-0x000007FEECF10000-0x000007FEED110000-memory.dmp

memory/1524-820-0x000007FEEF350000-0x000007FEEF38F000-memory.dmp

memory/1524-823-0x000007FEECEE0000-0x000007FEECF01000-memory.dmp

memory/1524-838-0x000007FEEEBA0000-0x000007FEEEBB8000-memory.dmp

memory/1524-843-0x000007FEECEC0000-0x000007FEECED1000-memory.dmp

memory/1524-860-0x000007FEECEA0000-0x000007FEECEB1000-memory.dmp

memory/1524-885-0x000007FEECE40000-0x000007FEECE51000-memory.dmp

memory/1524-894-0x000007FEECE20000-0x000007FEECE3B000-memory.dmp

memory/1524-923-0x000007FEECE00000-0x000007FEECE11000-memory.dmp

memory/1524-940-0x000007FEECDE0000-0x000007FEECDF8000-memory.dmp

memory/1524-941-0x000007FEECDB0000-0x000007FEECDE0000-memory.dmp

memory/1524-944-0x000007FEECD40000-0x000007FEECDA7000-memory.dmp

C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\is-VHEDI.tmp

MD5 562e8efa4422fdab66fd48ae64dfc7a5
SHA1 22d7f566adfd42c6c18c5a2e2ccd5d5a3bd49706
SHA256 73185706c9d2aa093c5e0511cee6ff5c52db25228924edb8f3edaf5af913d303
SHA512 b513c177f8dc6edd26391af045bbbd57fc31c3346cc78ae1083373247e08405416198682e773a33991b6f311cd4f65fd2656cb55c63668499494eb7454852f0a

C:\ProgramData\GOG.com\Galaxy\changelogs\is-FD0T2.tmp

MD5 c1f15ad6155a74d5983e43f3015682c5
SHA1 43aae9a8776dec93c992a21c14a27c8af5b9e2f7
SHA256 eabd436dbe6bc4de1416971dfb0060696e2f0aeb15d87c50496137a0e7140e13
SHA512 cc032541a189b4dda78ecbd57d0375a43d86e45a8e0ee92a22878f3b5208e7e3a6527103bc2150143a9e82e1cf6c558d5f3f67070bd98d7318933b77fe95be89

memory/1524-953-0x000007FEEBC90000-0x000007FEECD3B000-memory.dmp

memory/1524-1794-0x000007FEEBC20000-0x000007FEEBC8F000-memory.dmp

memory/1524-1819-0x000007FEEBC00000-0x000007FEEBC11000-memory.dmp

memory/1524-1820-0x000007FEEBBA0000-0x000007FEEBBF6000-memory.dmp

memory/1524-1827-0x000007FEEBB70000-0x000007FEEBB98000-memory.dmp

memory/1524-1830-0x000007FEEBB40000-0x000007FEEBB64000-memory.dmp

memory/1524-1833-0x000007FEEBB20000-0x000007FEEBB37000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x86.exe

MD5 3aa2d769397da14166eacdb3640458ee
SHA1 b38b7fc28c5e2ef157f93297036202911d2fc2bf
SHA256 b4d433e2f66b30b478c0d080ccd5217ca2a963c16e90caf10b1e0592b7d8d519
SHA512 404d2301c4719b8791639e8100eff6df7cd9c3ca62ad0a5c7ac8252f8adc2601aeefe83da982a409b9e3d901f74518ff98d2af5ebdd8cc77067be39c20eb1c56

C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x86.exe

MD5 3aa2d769397da14166eacdb3640458ee
SHA1 b38b7fc28c5e2ef157f93297036202911d2fc2bf
SHA256 b4d433e2f66b30b478c0d080ccd5217ca2a963c16e90caf10b1e0592b7d8d519
SHA512 404d2301c4719b8791639e8100eff6df7cd9c3ca62ad0a5c7ac8252f8adc2601aeefe83da982a409b9e3d901f74518ff98d2af5ebdd8cc77067be39c20eb1c56

C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x86.exe

MD5 3aa2d769397da14166eacdb3640458ee
SHA1 b38b7fc28c5e2ef157f93297036202911d2fc2bf
SHA256 b4d433e2f66b30b478c0d080ccd5217ca2a963c16e90caf10b1e0592b7d8d519
SHA512 404d2301c4719b8791639e8100eff6df7cd9c3ca62ad0a5c7ac8252f8adc2601aeefe83da982a409b9e3d901f74518ff98d2af5ebdd8cc77067be39c20eb1c56

\Windows\Temp\{36796B17-F1A6-4C9B-88BC-471F1782FE8C}\.cr\VC_redist.x86.exe

MD5 68f7654abfd77baade7a36e1d718ebc4
SHA1 eabba5cb899aee962f85b52e359c9f85d83771b6
SHA256 5b60b35079913ba1e00cddf762c1759650de8a3c2b76e373b996ced4843becdb
SHA512 b48c4ba6112e7ac1dae5846eb41812d265a72fc13966c8f8bdf7099fec88d27b414fe566905a6eea4e2f574c379fe87059018c8a365bed55a46eea9a42b38889

C:\Windows\Temp\{36796B17-F1A6-4C9B-88BC-471F1782FE8C}\.cr\VC_redist.x86.exe

MD5 68f7654abfd77baade7a36e1d718ebc4
SHA1 eabba5cb899aee962f85b52e359c9f85d83771b6
SHA256 5b60b35079913ba1e00cddf762c1759650de8a3c2b76e373b996ced4843becdb
SHA512 b48c4ba6112e7ac1dae5846eb41812d265a72fc13966c8f8bdf7099fec88d27b414fe566905a6eea4e2f574c379fe87059018c8a365bed55a46eea9a42b38889

C:\Windows\Temp\{36796B17-F1A6-4C9B-88BC-471F1782FE8C}\.cr\VC_redist.x86.exe

MD5 68f7654abfd77baade7a36e1d718ebc4
SHA1 eabba5cb899aee962f85b52e359c9f85d83771b6
SHA256 5b60b35079913ba1e00cddf762c1759650de8a3c2b76e373b996ced4843becdb
SHA512 b48c4ba6112e7ac1dae5846eb41812d265a72fc13966c8f8bdf7099fec88d27b414fe566905a6eea4e2f574c379fe87059018c8a365bed55a46eea9a42b38889

\Windows\Temp\{9B569FC9-BAE5-4FAD-9237-E1FD67E6956E}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{9B569FC9-BAE5-4FAD-9237-E1FD67E6956E}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x64.exe

MD5 1e7bd6790391b5b710c6372ab2042351
SHA1 75f1aee6dccf3d6e6ac49926563737005b93ba13
SHA256 952a0c6cb4a3dd14c3666ef05bb1982c5ff7f87b7103c2ba896354f00651e358
SHA512 ae3860a060be483c9fcbcf6a41f561faf2cd681f39138dd13a563e3f39cf4b4f41e7c0f7b58bc8b585b2728245025be4b198f06634a97fa98847258272f9f59b

C:\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x64.exe

MD5 1e7bd6790391b5b710c6372ab2042351
SHA1 75f1aee6dccf3d6e6ac49926563737005b93ba13
SHA256 952a0c6cb4a3dd14c3666ef05bb1982c5ff7f87b7103c2ba896354f00651e358
SHA512 ae3860a060be483c9fcbcf6a41f561faf2cd681f39138dd13a563e3f39cf4b4f41e7c0f7b58bc8b585b2728245025be4b198f06634a97fa98847258272f9f59b

\Users\Admin\AppData\Local\Temp\is-8BF6K.tmp\VC_redist.x64.exe

MD5 1e7bd6790391b5b710c6372ab2042351
SHA1 75f1aee6dccf3d6e6ac49926563737005b93ba13
SHA256 952a0c6cb4a3dd14c3666ef05bb1982c5ff7f87b7103c2ba896354f00651e358
SHA512 ae3860a060be483c9fcbcf6a41f561faf2cd681f39138dd13a563e3f39cf4b4f41e7c0f7b58bc8b585b2728245025be4b198f06634a97fa98847258272f9f59b

C:\Windows\Temp\{9667C29B-97F6-4202-89E5-2BD1D2048E19}\.cr\VC_redist.x64.exe

MD5 1d7599c4a31b82e70308c022e9494011
SHA1 7d04a03d5502df2838d40dd131b1cae226cb5205
SHA256 21d2935d29c807a3a56c406849b97dbc7f720822920930d0e2b13a44203c107c
SHA512 080ff020e0d2d9c0ce6beee8143c0f49e1b4450baa08072a8662f4b25ad6b034ee0ad174f2d4acd5b011cb8fb140656755007e245673f7677964b9e99555ab08

\Windows\Temp\{9667C29B-97F6-4202-89E5-2BD1D2048E19}\.cr\VC_redist.x64.exe

MD5 1d7599c4a31b82e70308c022e9494011
SHA1 7d04a03d5502df2838d40dd131b1cae226cb5205
SHA256 21d2935d29c807a3a56c406849b97dbc7f720822920930d0e2b13a44203c107c
SHA512 080ff020e0d2d9c0ce6beee8143c0f49e1b4450baa08072a8662f4b25ad6b034ee0ad174f2d4acd5b011cb8fb140656755007e245673f7677964b9e99555ab08

C:\Windows\Temp\{9667C29B-97F6-4202-89E5-2BD1D2048E19}\.cr\VC_redist.x64.exe

MD5 1d7599c4a31b82e70308c022e9494011
SHA1 7d04a03d5502df2838d40dd131b1cae226cb5205
SHA256 21d2935d29c807a3a56c406849b97dbc7f720822920930d0e2b13a44203c107c
SHA512 080ff020e0d2d9c0ce6beee8143c0f49e1b4450baa08072a8662f4b25ad6b034ee0ad174f2d4acd5b011cb8fb140656755007e245673f7677964b9e99555ab08

C:\Windows\Temp\{9BD957F2-62C9-46E7-AF58-FF5B2047164B}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

\Windows\Temp\{9BD957F2-62C9-46E7-AF58-FF5B2047164B}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\ProgramData\GOG.com\Galaxy\redists\web\locales\en-US\is-BRDFH.tmp

MD5 de7b60f5a2dbd33ed7a6f8593f704c11
SHA1 7f04fa834a457f321ef1b645ab2076d2b9178a0f
SHA256 7cf7bd09531fc5750e5e28686356df4fa9c42621cf647600fead70e5184973d3
SHA512 534574b0e5047b4d4b7bb6d668eef622372dba5a0157eb441f166aed92daf9ce8a7334b607a756e35088b3593379566baad1f8e872946adfd84e233fdbe98d79

\Program Files (x86)\GOG Galaxy\GalaxyClient.exe

MD5 44f107864b3a967bb1b3e9da47ad8e90
SHA1 8331f0a5dda5f8cc489653ad8672f731e35fedb7
SHA256 7cfa689f13c1b123069047affc9e89b0bf21d51ee0dfdafde18565cb73efde94
SHA512 5e3373bc546b41ecf58f42308a1d05c47dcde36e964d679145670fe3477630bddd98b862e3a0c09a9c29b4fa350eb408732028fd4a06163b026a70eaf22db1cd

\Program Files (x86)\GOG Galaxy\GalaxyClient.exe

MD5 44f107864b3a967bb1b3e9da47ad8e90
SHA1 8331f0a5dda5f8cc489653ad8672f731e35fedb7
SHA256 7cfa689f13c1b123069047affc9e89b0bf21d51ee0dfdafde18565cb73efde94
SHA512 5e3373bc546b41ecf58f42308a1d05c47dcde36e964d679145670fe3477630bddd98b862e3a0c09a9c29b4fa350eb408732028fd4a06163b026a70eaf22db1cd

C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe

MD5 44f107864b3a967bb1b3e9da47ad8e90
SHA1 8331f0a5dda5f8cc489653ad8672f731e35fedb7
SHA256 7cfa689f13c1b123069047affc9e89b0bf21d51ee0dfdafde18565cb73efde94
SHA512 5e3373bc546b41ecf58f42308a1d05c47dcde36e964d679145670fe3477630bddd98b862e3a0c09a9c29b4fa350eb408732028fd4a06163b026a70eaf22db1cd

\Program Files (x86)\GOG Galaxy\GalaxyClient.exe

MD5 44f107864b3a967bb1b3e9da47ad8e90
SHA1 8331f0a5dda5f8cc489653ad8672f731e35fedb7
SHA256 7cfa689f13c1b123069047affc9e89b0bf21d51ee0dfdafde18565cb73efde94
SHA512 5e3373bc546b41ecf58f42308a1d05c47dcde36e964d679145670fe3477630bddd98b862e3a0c09a9c29b4fa350eb408732028fd4a06163b026a70eaf22db1cd

\Program Files (x86)\GOG Galaxy\GalaxyClient.exe

MD5 44f107864b3a967bb1b3e9da47ad8e90
SHA1 8331f0a5dda5f8cc489653ad8672f731e35fedb7
SHA256 7cfa689f13c1b123069047affc9e89b0bf21d51ee0dfdafde18565cb73efde94
SHA512 5e3373bc546b41ecf58f42308a1d05c47dcde36e964d679145670fe3477630bddd98b862e3a0c09a9c29b4fa350eb408732028fd4a06163b026a70eaf22db1cd

C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe

MD5 44f107864b3a967bb1b3e9da47ad8e90
SHA1 8331f0a5dda5f8cc489653ad8672f731e35fedb7
SHA256 7cfa689f13c1b123069047affc9e89b0bf21d51ee0dfdafde18565cb73efde94
SHA512 5e3373bc546b41ecf58f42308a1d05c47dcde36e964d679145670fe3477630bddd98b862e3a0c09a9c29b4fa350eb408732028fd4a06163b026a70eaf22db1cd

C:\Program Files (x86)\GOG Galaxy\PocoUtil.dll

MD5 9cb7c18b68e61c0eac049a3d7d0b970c
SHA1 83f17545fc35c2e1a0b627236309d8c0933a67d3
SHA256 0d0a7c34d2b972fad2a1ec4df2ef604b55742b5e43f42d254851ad6bb5ffe609
SHA512 9bc86e1199540e5299e61d7b873d70d3668f1e281b9dff2fba555d45cab99e23263d49ce50a4d217e0dcf3e3090a5af0e9dd64b32aec14b5ef6edaaec6e29aa4

\Program Files (x86)\GOG Galaxy\PocoUtil.dll

MD5 9cb7c18b68e61c0eac049a3d7d0b970c
SHA1 83f17545fc35c2e1a0b627236309d8c0933a67d3
SHA256 0d0a7c34d2b972fad2a1ec4df2ef604b55742b5e43f42d254851ad6bb5ffe609
SHA512 9bc86e1199540e5299e61d7b873d70d3668f1e281b9dff2fba555d45cab99e23263d49ce50a4d217e0dcf3e3090a5af0e9dd64b32aec14b5ef6edaaec6e29aa4

C:\Program Files (x86)\GOG Galaxy\PocoXML.dll

MD5 ed29d945a6e4ab83974d783e5a910d20
SHA1 4a008b7dcd527fd2ad6b0e4211f431a983104605
SHA256 c12cc8c1f3202c19729538fd3b38b7627cdc122bdad7efdfd37bfac236d7839e
SHA512 8d6eb5ed8ac4b1f95f2f10d0241e130a60540a10b48bb7bb5ced23c6847d333e7818145cfeb93073b2370c216f627f0d7d0a0844e036e9b726a56a4a06409f2f

\Program Files (x86)\GOG Galaxy\PocoXml.dll

MD5 ed29d945a6e4ab83974d783e5a910d20
SHA1 4a008b7dcd527fd2ad6b0e4211f431a983104605
SHA256 c12cc8c1f3202c19729538fd3b38b7627cdc122bdad7efdfd37bfac236d7839e
SHA512 8d6eb5ed8ac4b1f95f2f10d0241e130a60540a10b48bb7bb5ced23c6847d333e7818145cfeb93073b2370c216f627f0d7d0a0844e036e9b726a56a4a06409f2f

C:\Program Files (x86)\GOG Galaxy\PocoFoundation.dll

MD5 3e72226a19d731e0d0baa1e9a2017dd7
SHA1 d1ea639b8a0532f9ce092861016f79d672dcef25
SHA256 97190cd46762d1947922ff330a406a2bc74c5bcd8e29b937be6ebddbfa3a43c8
SHA512 eedc3c54196c37c08d9c9651b378db8f431c76fce206801ae1f29f0fac8a3b37a076d8610070ff5ac1b90866517b09beaa447018155b53350d8fdabdca44f541

\Program Files (x86)\GOG Galaxy\PocoFoundation.dll

MD5 3e72226a19d731e0d0baa1e9a2017dd7
SHA1 d1ea639b8a0532f9ce092861016f79d672dcef25
SHA256 97190cd46762d1947922ff330a406a2bc74c5bcd8e29b937be6ebddbfa3a43c8
SHA512 eedc3c54196c37c08d9c9651b378db8f431c76fce206801ae1f29f0fac8a3b37a076d8610070ff5ac1b90866517b09beaa447018155b53350d8fdabdca44f541

C:\Program Files (x86)\GOG Galaxy\pcre2-8.dll

MD5 6ff65827e6191c4aebe6d611341ae02e
SHA1 41ecaa87dcc727340e6358251a08d3bab240b58e
SHA256 a149b0e6087f27928cd44ecaf6702399745ceda59001f3918d08f4baacaa7544
SHA512 85d34e0562a72c783ec2ddf2ded5c12ada293032451e4a73b530fffddaca73bbc921d5442b2b18780ae66e41d2c2441a775bbd9b14ddefba2a89984ec282df33

\Program Files (x86)\GOG Galaxy\pcre2-8.dll

MD5 6ff65827e6191c4aebe6d611341ae02e
SHA1 41ecaa87dcc727340e6358251a08d3bab240b58e
SHA256 a149b0e6087f27928cd44ecaf6702399745ceda59001f3918d08f4baacaa7544
SHA512 85d34e0562a72c783ec2ddf2ded5c12ada293032451e4a73b530fffddaca73bbc921d5442b2b18780ae66e41d2c2441a775bbd9b14ddefba2a89984ec282df33

C:\Program Files (x86)\GOG Galaxy\libexpat.dll

MD5 657d32eec34d3225b38262a5878e9474
SHA1 22daaca36c1d49bdb8b2851f40596d4cd025dcb0
SHA256 ec4f39fe48a83d113191402d33420728f571df81b46e41e5c37a46845b4d2f62
SHA512 d4889aff3da2fe9d9cbe175b18793af7e82f0fd6e1fb72ec8aeaf0c8e0872f008beb54a2d44f6fd7f389d0ee104c93ecd1998ddbf4f1d0c7be38e802f5c96895

C:\Program Files (x86)\GOG Galaxy\PocoJSON.dll

MD5 c645048dcbff4fd35d51a254c18dc131
SHA1 a3c9b97073d69318979a4d1bb66f02edc7ccdd88
SHA256 ea3fb61653067989f3c95126cb6b470057f3f281fda7152f0940af8677e87a53
SHA512 421f45e6f501aeca01ecfe876d0406404eacc13f4bdc8931e9ef46cf6487e3593394042c29169a6af0a8961f95aaa1ff06576da7b495e6fa039568d24723e6ca

\Program Files (x86)\GOG Galaxy\PocoJSON.dll

MD5 c645048dcbff4fd35d51a254c18dc131
SHA1 a3c9b97073d69318979a4d1bb66f02edc7ccdd88
SHA256 ea3fb61653067989f3c95126cb6b470057f3f281fda7152f0940af8677e87a53
SHA512 421f45e6f501aeca01ecfe876d0406404eacc13f4bdc8931e9ef46cf6487e3593394042c29169a6af0a8961f95aaa1ff06576da7b495e6fa039568d24723e6ca

\Program Files (x86)\GOG Galaxy\libexpat.dll

MD5 657d32eec34d3225b38262a5878e9474
SHA1 22daaca36c1d49bdb8b2851f40596d4cd025dcb0
SHA256 ec4f39fe48a83d113191402d33420728f571df81b46e41e5c37a46845b4d2f62
SHA512 d4889aff3da2fe9d9cbe175b18793af7e82f0fd6e1fb72ec8aeaf0c8e0872f008beb54a2d44f6fd7f389d0ee104c93ecd1998ddbf4f1d0c7be38e802f5c96895

\Program Files (x86)\GOG Galaxy\zlib1.dll

MD5 2a92f0dc6dac8545718ee475b7b961ed
SHA1 c154cdcf10e411f1622e29a7f019ae610f35ddf1
SHA256 3c53b164dfaa56213b081c97d388082a3731f064b44bd5cbcf0876b075a3b890
SHA512 190ef026570129f8a9f03e22866fc8b49597644a53d06bb9c1e0cf37edbf689df86de928fb9bf782797262b1fcf85c52e212156eae94af2cd1ae4b25b3298234

C:\Program Files (x86)\GOG Galaxy\zlib1.dll

MD5 2a92f0dc6dac8545718ee475b7b961ed
SHA1 c154cdcf10e411f1622e29a7f019ae610f35ddf1
SHA256 3c53b164dfaa56213b081c97d388082a3731f064b44bd5cbcf0876b075a3b890
SHA512 190ef026570129f8a9f03e22866fc8b49597644a53d06bb9c1e0cf37edbf689df86de928fb9bf782797262b1fcf85c52e212156eae94af2cd1ae4b25b3298234

C:\Program Files (x86)\GOG Galaxy\PocoNet.dll

MD5 8fbf4845c06da70e17e40376244b97ba
SHA1 488bb2cfc96dbe103425b9657ddfd646aae4388c
SHA256 fef566ecb133f2d13d18980b8ad667ed202957be7d8716721e9da83f5bb1e04b
SHA512 c1eafd234fe4b5aad87759931edd9c0f8bd902f35b78bbec699b5a5d882011ad7c0a780b781518f4d98c7c880115e1aa57795d5fe138001a7184114d6880c5c1

\Program Files (x86)\GOG Galaxy\PocoNet.dll

MD5 8fbf4845c06da70e17e40376244b97ba
SHA1 488bb2cfc96dbe103425b9657ddfd646aae4388c
SHA256 fef566ecb133f2d13d18980b8ad667ed202957be7d8716721e9da83f5bb1e04b
SHA512 c1eafd234fe4b5aad87759931edd9c0f8bd902f35b78bbec699b5a5d882011ad7c0a780b781518f4d98c7c880115e1aa57795d5fe138001a7184114d6880c5c1

C:\Program Files (x86)\GOG Galaxy\PocoData.dll

MD5 7818a804fa9fd0f9a09263b6b35325fc
SHA1 590971157aa72d48f7939556a7554bc9d8975cd5
SHA256 f2fd84a60790d043b531ec8eef9ad2cc961270e5f34096db1331388f1fa80416
SHA512 63a9821c2a23f2f91ef1893e69a902065596e138850b825df8fb54ceed5ff551cde623049521a78821dce48720a8ae2ed53a8927ae0f404a905a24243fece561

\Program Files (x86)\GOG Galaxy\PocoData.dll

MD5 7818a804fa9fd0f9a09263b6b35325fc
SHA1 590971157aa72d48f7939556a7554bc9d8975cd5
SHA256 f2fd84a60790d043b531ec8eef9ad2cc961270e5f34096db1331388f1fa80416
SHA512 63a9821c2a23f2f91ef1893e69a902065596e138850b825df8fb54ceed5ff551cde623049521a78821dce48720a8ae2ed53a8927ae0f404a905a24243fece561

C:\Program Files (x86)\GOG Galaxy\PocoDataSQLite.dll

MD5 dd7065f6e3bd80c6e7e6419e2475c8a8
SHA1 f01ce83abf97c075fdad042cf6e3f994110ceb78
SHA256 0c1b8043c56a29366da4e7065060201b9f82beba9d1c3c6c393f1a04dc2b136c
SHA512 00656505b68db7bad3a78e283517fb1b2a21217245317334eb6457466564e04ef85a454adbbc97927430da6a6654a66bfaa756808e22dc394413b7bdf434a6c5

\Program Files (x86)\GOG Galaxy\PocoDataSQLite.dll

MD5 dd7065f6e3bd80c6e7e6419e2475c8a8
SHA1 f01ce83abf97c075fdad042cf6e3f994110ceb78
SHA256 0c1b8043c56a29366da4e7065060201b9f82beba9d1c3c6c393f1a04dc2b136c
SHA512 00656505b68db7bad3a78e283517fb1b2a21217245317334eb6457466564e04ef85a454adbbc97927430da6a6654a66bfaa756808e22dc394413b7bdf434a6c5

C:\Program Files (x86)\GOG Galaxy\sqlite.dll

MD5 570163e4b53390b17bf78af85e8af01d
SHA1 e642d74d485c4a3ed3a339ff3f2497b06033ccf2
SHA256 dd57aabccc4193e57140f7df1ef9e4e03ff06239a9061ba9760a9a799fa4ba9a
SHA512 6ca6f066ca9ede06947a52b519ffa37570f31add071545ff07a3c19227642cbfc9441805ad9635e6a75be54adbc272283074c0fd347acd99a4924dcbb9d4cecc

\Program Files (x86)\GOG Galaxy\sqlite.dll

MD5 570163e4b53390b17bf78af85e8af01d
SHA1 e642d74d485c4a3ed3a339ff3f2497b06033ccf2
SHA256 dd57aabccc4193e57140f7df1ef9e4e03ff06239a9061ba9760a9a799fa4ba9a
SHA512 6ca6f066ca9ede06947a52b519ffa37570f31add071545ff07a3c19227642cbfc9441805ad9635e6a75be54adbc272283074c0fd347acd99a4924dcbb9d4cecc

C:\Program Files (x86)\GOG Galaxy\Qt5Gui.dll

MD5 68c19f9f45a98734a6e42745a75ff2d3
SHA1 1f39560b10ab2bf6f3fab76a3be5f305b169fcaa
SHA256 1233ea25703cc1830f658f379bc3e2e4486ea08b9beb356b5d0e4e0a1d4a3329
SHA512 df7e50d8b17f415c9e2ae33851294370a72ab2368b4cf0cc6c5883740ddd7daa02ecd918440c21c5421bc149c0d611220aab4e51f3fd674b9adf167a79f95e41

\Program Files (x86)\GOG Galaxy\Qt5Gui.dll

MD5 68c19f9f45a98734a6e42745a75ff2d3
SHA1 1f39560b10ab2bf6f3fab76a3be5f305b169fcaa
SHA256 1233ea25703cc1830f658f379bc3e2e4486ea08b9beb356b5d0e4e0a1d4a3329
SHA512 df7e50d8b17f415c9e2ae33851294370a72ab2368b4cf0cc6c5883740ddd7daa02ecd918440c21c5421bc149c0d611220aab4e51f3fd674b9adf167a79f95e41

C:\Program Files (x86)\GOG Galaxy\Qt5Core.dll

MD5 ecd2fed8765416bf429f32f14cc5c747
SHA1 00f09763508c58be76a0ef0b348358a0802d4745
SHA256 e9087632fe379f46fc8d6b4f9dfe6b167640c914873ef033d4bfe9138614d7e8
SHA512 77d38303cb59cdcf68cc779d2c40fad0a327d0258802749aeb5b5b25647bc6c687e5b5a10ce8448dc7c6083267a3a86da747540b2eb15e03fd169478851a2057

\Program Files (x86)\GOG Galaxy\Qt5Core.dll

MD5 ecd2fed8765416bf429f32f14cc5c747
SHA1 00f09763508c58be76a0ef0b348358a0802d4745
SHA256 e9087632fe379f46fc8d6b4f9dfe6b167640c914873ef033d4bfe9138614d7e8
SHA512 77d38303cb59cdcf68cc779d2c40fad0a327d0258802749aeb5b5b25647bc6c687e5b5a10ce8448dc7c6083267a3a86da747540b2eb15e03fd169478851a2057

\Program Files (x86)\GOG Galaxy\xdelta3.dll

MD5 9cfacd6bb21d545f154a3ec82aaf9d93
SHA1 1bbee4abe68031b38256c0f4584adb6aed95ce7b
SHA256 57f498d7770150c5516cccff38dabeb90f54647d8e73a2cd45044155d86ff953
SHA512 71f7d498c4442a6f0956cc030e459c8e53d041ae4e4ab1fe6b4a56d141ae6cee95ef26c10722e11923b9c65a2f90efed94da925095c19b9ec911ca499d84856a

C:\Program Files (x86)\GOG Galaxy\Qt5Network.dll

MD5 9dcd0f88d822d9e8f5d72dc15f53fb71
SHA1 5e06d4ec06f720a06320bf660fe5f34a460af200
SHA256 99dd9ff6dda27004de1b43e01cf9d5e415c45fd9bfc05e6293ba87a8109e86c5
SHA512 cc39d393ff5f31827bb92a2c30736575b8464f9ccdc14493785d77bcc7cea8125ee9124b09465619cd9dc73e971a3f480c5ed4f64adf62133c3b86032d328b5a

C:\Program Files (x86)\GOG Galaxy\xdelta3.dll

MD5 9cfacd6bb21d545f154a3ec82aaf9d93
SHA1 1bbee4abe68031b38256c0f4584adb6aed95ce7b
SHA256 57f498d7770150c5516cccff38dabeb90f54647d8e73a2cd45044155d86ff953
SHA512 71f7d498c4442a6f0956cc030e459c8e53d041ae4e4ab1fe6b4a56d141ae6cee95ef26c10722e11923b9c65a2f90efed94da925095c19b9ec911ca499d84856a

\Program Files (x86)\GOG Galaxy\Qt5Network.dll

MD5 9dcd0f88d822d9e8f5d72dc15f53fb71
SHA1 5e06d4ec06f720a06320bf660fe5f34a460af200
SHA256 99dd9ff6dda27004de1b43e01cf9d5e415c45fd9bfc05e6293ba87a8109e86c5
SHA512 cc39d393ff5f31827bb92a2c30736575b8464f9ccdc14493785d77bcc7cea8125ee9124b09465619cd9dc73e971a3f480c5ed4f64adf62133c3b86032d328b5a

C:\Program Files (x86)\GOG Galaxy\libcef.dll

MD5 f380b5b90187ad35f34d3ca0c3051948
SHA1 2bd45db66c4b64b3fda98d841598274c4ac21f29
SHA256 fe0b72b8372d60da2d7ed73451d59720d49a54ee71274a8a9e678b4e9c1fbbc0
SHA512 c92a7bdfd76ceb2ee8088b2d4f3ce738b43448a96a97360b520594620ee6014c7a8643780b0ab0c9da8f6587508311e508690b7523136c133580bc7d2b73d85a

C:\Users\Admin\AppData\Local\GOG.com\Galaxy\Configuration\config.json

MD5 b9458ee7df2e344cfb7ebca63abce667
SHA1 f14b31b480a196c1b072455a61ef4bd316c0deb9
SHA256 d78056318678cad58d996b46f016dc172e9fcc4eacee69ef4d5417cf115d98c7
SHA512 af03bf595e635cb0b99cf2a23a96de8e343779d797e00054974ab6c3d49421386c16db65a84f63548d76329c52b49ea7a555d6c3627700e90115c7cb2644ec28

C:\Users\Admin\AppData\Local\GOG.com\Galaxy\Configuration\config.json

MD5 b9458ee7df2e344cfb7ebca63abce667
SHA1 f14b31b480a196c1b072455a61ef4bd316c0deb9
SHA256 d78056318678cad58d996b46f016dc172e9fcc4eacee69ef4d5417cf115d98c7
SHA512 af03bf595e635cb0b99cf2a23a96de8e343779d797e00054974ab6c3d49421386c16db65a84f63548d76329c52b49ea7a555d6c3627700e90115c7cb2644ec28

C:\ProgramData\GOG.com\Galaxy\config.json

MD5 0983ab2871e1f03d0d78954b0e78ded8
SHA1 c15910cdc2a98840d4731cb477d497dfea23387c
SHA256 375a77b239a3564ed9b2c2ebd3607d9faf3d4fddb0db517ba25942e57629f093
SHA512 87a497a9f216fd7dddaa2ef7e0a9ed930ca5634811de5da124b4444b9aea9e755b434770cd6a1921b5f3b7e10fbafab0f442946122765b016f0a28e38e623f3a

C:\Users\Admin\AppData\Local\Temp\Cab4A0C.tmp

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

memory/268-2739-0x0000000000670000-0x0000000000680000-memory.dmp

memory/2824-2812-0x0000000000580000-0x0000000000590000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-30 21:01

Reported

2023-04-30 21:07

Platform

win10v2004-20230220-en

Max time kernel

219s

Max time network

181s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe"

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\GalaxyInstaller.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\GalaxyInstaller.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe

"C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe"

C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\GalaxyInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\GalaxyInstaller.exe"

C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\GalaxySetup.exe

"C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\GalaxySetup.exe" /lang=en_US /campaign="eyJjYW1wYWlnbiI6eyJvcmlnaW4iOiJodHRwOi8vZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QvZW4vP2VtYmVkZGFibGU9dHJ1ZSIsIm9yaWdpbl91c2VyX2FnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExMS4wLjAuMCBTYWZhcmkvNTM3LjM2IE9QUi85Ny4wLjAuMCIsInVuaXF1ZV9pZCI6IjE2ODI4ODgwOTctODNlRGdJbC9KZW1oeW1QZ1l4SDBEQT09In0sImxvZ2luX3BhcmFtZXRlcnMiOiJvcmlnaW49aHR0cCUzQSUyRiUyRmdhbGF4eTItc2lnbnVwLmdvZy5wcm9kJTJGZW4lMkYlM0ZlbWJlZGRhYmxlJTNEdHJ1ZSZvcmlnaW5fdXNlcl9hZ2VudD1Nb3ppbGxhJTJGNS4wKyUyOFdpbmRvd3MrTlQrMTAuMCUzQitXaW42NCUzQit4NjQlMjkrQXBwbGVXZWJLaXQlMkY1MzcuMzYrJTI4S0hUTUwlMkMrbGlrZStHZWNrbyUyOStDaHJvbWUlMkYxMTEuMC4wLjArU2FmYXJpJTJGNTM3LjM2K09QUiUyRjk3LjAuMC4wJnVuaXF1ZV9pZD0xNjgyODg4MDk3LTgzZURnSWwlMkZKZW1oeW1QZ1l4SDBEQSUzRCUzRCJ9"

C:\Users\Admin\AppData\Local\Temp\is-RKH34.tmp\GalaxySetup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-RKH34.tmp\GalaxySetup.tmp" /SL5="$8003E,272048901,1268224,C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\GalaxySetup.exe" /lang=en_US /campaign="eyJjYW1wYWlnbiI6eyJvcmlnaW4iOiJodHRwOi8vZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QvZW4vP2VtYmVkZGFibGU9dHJ1ZSIsIm9yaWdpbl91c2VyX2FnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExMS4wLjAuMCBTYWZhcmkvNTM3LjM2IE9QUi85Ny4wLjAuMCIsInVuaXF1ZV9pZCI6IjE2ODI4ODgwOTctODNlRGdJbC9KZW1oeW1QZ1l4SDBEQT09In0sImxvZ2luX3BhcmFtZXRlcnMiOiJvcmlnaW49aHR0cCUzQSUyRiUyRmdhbGF4eTItc2lnbnVwLmdvZy5wcm9kJTJGZW4lMkYlM0ZlbWJlZGRhYmxlJTNEdHJ1ZSZvcmlnaW5fdXNlcl9hZ2VudD1Nb3ppbGxhJTJGNS4wKyUyOFdpbmRvd3MrTlQrMTAuMCUzQitXaW42NCUzQit4NjQlMjkrQXBwbGVXZWJLaXQlMkY1MzcuMzYrJTI4S0hUTUwlMkMrbGlrZStHZWNrbyUyOStDaHJvbWUlMkYxMTEuMC4wLjArU2FmYXJpJTJGNTM3LjM2K09QUiUyRjk3LjAuMC4wJnVuaXF1ZV9pZD0xNjgyODg4MDk3LTgzZURnSWwlMkZKZW1oeW1QZ1l4SDBEQSUzRCUzRCJ9"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 remote-config.gog.com udp
NL 23.72.252.136:443 remote-config.gog.com tcp
US 8.8.8.8:53 136.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 33.18.126.40.in-addr.arpa udp
US 8.8.8.8:53 insights-collector.gog.com udp
NL 23.72.252.129:443 insights-collector.gog.com tcp
US 8.8.8.8:53 content-system.gog.com udp
NL 23.72.252.152:443 content-system.gog.com tcp
US 8.8.8.8:53 gog-cdn-lumen.secure2.footprint.net udp
SG 8.241.143.140:443 gog-cdn-lumen.secure2.footprint.net tcp
US 8.8.8.8:53 129.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 152.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 140.143.241.8.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 40.77.2.164:443 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 api.msn.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 67.24.33.254:80 tcp
US 67.24.33.254:80 tcp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp

Files

memory/4544-133-0x0000000000400000-0x0000000000641000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\remoteconfig.json

MD5 77f0ebc2ec5ecd47916207bf510904e2
SHA1 514dd58f5379932360f32dfa41d5706c0bf56076
SHA256 c6a6618fa0bb69a977b8e5e6985fed76575e8671015f53f6bf3c21e2707917c1
SHA512 0d3fedfc364961872e605dcab3865172636a4fa9b6b5e4897c11dc342cff108551589eb2f88f2653ac0e1d4306600642217ccb0b6ed0cbaa6d147d264aacadb5

C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\GalaxyInstaller.exe

MD5 26d02cc778b804689bda1aafa9a76fb1
SHA1 5452c96593478f59471730366c682da19881051d
SHA256 61eadf4a0bb3710671f5b6f1db10c522a2d0a07177d3b79eb844d7f69d8f8635
SHA512 047ecfb6df19e39579dd2a7359fec312f4dcf2293e9e4f232a22acd37a3c22707ecbf53d6ed0fe44989b8a52502fd43f525e20b85b83f29223205ade6a7aee90

memory/2336-146-0x0000000000710000-0x00000000007A0000-memory.dmp

memory/2336-147-0x000000001B310000-0x000000001B320000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\icon.ico

MD5 391cf634b3ccf3971811be5ef016fe32
SHA1 8e3023466d02dfb8f2e1b48555b998532dc9a377
SHA256 de9a2072df66c11af8cc255788c4c572f7b45ba7ab19524ad2e01a23f55e9ca8
SHA512 c1594a33efcfac7c6e6935e76ed030855886453b6397ba53a63225efbeb513a1ccb39ea7d528cc43bb1e2b56fd0e02b306e0e65dc6896613c2b4ca6c4a165d9a

C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\payload.campaign

MD5 0069f49d053b0b56ef449c4cc8b861f9
SHA1 fdbe0f50827c022017f17be3db3afd986228e266
SHA256 72211501de8490d22aa4ec45710737ca980624fd31563b400b497534e3a36599
SHA512 7b35f3ae4505e10fc554e063d3220493d657aea511bd632465db9d344e4ddffaaef0fe13c802c892fcf7e3df1281a11d6f369de9ba5787e84292de3ecd3208fb

C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\remoteconfig.json

MD5 77f0ebc2ec5ecd47916207bf510904e2
SHA1 514dd58f5379932360f32dfa41d5706c0bf56076
SHA256 c6a6618fa0bb69a977b8e5e6985fed76575e8671015f53f6bf3c21e2707917c1
SHA512 0d3fedfc364961872e605dcab3865172636a4fa9b6b5e4897c11dc342cff108551589eb2f88f2653ac0e1d4306600642217ccb0b6ed0cbaa6d147d264aacadb5

memory/2336-159-0x000000001E7B0000-0x000000001E972000-memory.dmp

memory/2336-160-0x000000001EEB0000-0x000000001F3D8000-memory.dmp

memory/2336-164-0x000000001B310000-0x000000001B320000-memory.dmp

memory/4544-165-0x0000000000400000-0x0000000000641000-memory.dmp

memory/2336-166-0x000000001B310000-0x000000001B320000-memory.dmp

memory/2336-168-0x000000001B310000-0x000000001B320000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\GalaxySetup.exe

MD5 b60970dfb43bbee8f7dd8f785b06e513
SHA1 ff3f3ef0c44ffa4120b2f30023573c57dec4d71e
SHA256 793227a3a9a7e30a80d7d2f623ffa0d68c63c9ea2fd0f0e8fbe1d9adbbbae0d6
SHA512 98601a93b6df844a315c2d45429aef54640948ceafa75e3e19d46aa490aa4bac5fb07d3974840e929f256f25b86c9e751546a7ac4c11e09c36516d7f42a555af

C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\GalaxySetup.exe

MD5 b60970dfb43bbee8f7dd8f785b06e513
SHA1 ff3f3ef0c44ffa4120b2f30023573c57dec4d71e
SHA256 793227a3a9a7e30a80d7d2f623ffa0d68c63c9ea2fd0f0e8fbe1d9adbbbae0d6
SHA512 98601a93b6df844a315c2d45429aef54640948ceafa75e3e19d46aa490aa4bac5fb07d3974840e929f256f25b86c9e751546a7ac4c11e09c36516d7f42a555af

memory/4616-189-0x0000000000400000-0x0000000000543000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\GalaxySetup.exe

MD5 b60970dfb43bbee8f7dd8f785b06e513
SHA1 ff3f3ef0c44ffa4120b2f30023573c57dec4d71e
SHA256 793227a3a9a7e30a80d7d2f623ffa0d68c63c9ea2fd0f0e8fbe1d9adbbbae0d6
SHA512 98601a93b6df844a315c2d45429aef54640948ceafa75e3e19d46aa490aa4bac5fb07d3974840e929f256f25b86c9e751546a7ac4c11e09c36516d7f42a555af

memory/4616-193-0x0000000000400000-0x0000000000543000-memory.dmp

memory/4616-196-0x0000000000400000-0x0000000000543000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-RKH34.tmp\GalaxySetup.tmp

MD5 ebda4a669acd86def15d9389e3c408ff
SHA1 88c7f3cdccb377397fa295efd5dbf5af3c5d1bdd
SHA256 399092911144baf021d14ccd882ad8ab8d312e579b8e11fbac1dfb16e72c5740
SHA512 9a406d7fb6827bd992baf4c1c26a84187dafa89dd1afce51f97953c5f4f29319021043f860ddd1d94346265fcec8663581112af9455b0da1dd3a75da6102105a

memory/1952-199-0x0000000000400000-0x0000000000765000-memory.dmp

memory/1952-200-0x0000000000920000-0x0000000000921000-memory.dmp

memory/4616-203-0x0000000000400000-0x0000000000543000-memory.dmp

memory/1952-204-0x0000000000400000-0x0000000000765000-memory.dmp

memory/1952-206-0x0000000000400000-0x0000000000765000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-03TVJ.tmp\_isetup\_isdecmp.dll

MD5 077cb4461a2767383b317eb0c50f5f13
SHA1 584e64f1d162398b7f377ce55a6b5740379c4282
SHA256 8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64
SHA512 b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

C:\Users\Admin\AppData\Local\Temp\is-03TVJ.tmp\_isetup\_isdecmp.dll

MD5 077cb4461a2767383b317eb0c50f5f13
SHA1 584e64f1d162398b7f377ce55a6b5740379c4282
SHA256 8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64
SHA512 b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

memory/1952-215-0x0000000000920000-0x0000000000921000-memory.dmp

memory/1952-217-0x0000000000400000-0x0000000000765000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-04-30 21:01

Reported

2023-04-30 21:03

Platform

win7-20230220-en

Max time kernel

0s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-04-30 21:01

Reported

2023-04-30 21:03

Platform

win10v2004-20230220-en

Max time kernel

0s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A