lumma | d59371c88cd287e0e9704ca0a39bfbb1a5436312d253ccee407d7e3e1c628906

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2023, 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GOG_Galaxy_Ghostrunner.exe
Size

498KB
MD5

7637e6a3ec95ffee2d83689f200c3015
SHA1

bb99cf1cf097e5b58c9b68629ab58fb491441f91
SHA256

d59371c88cd287e0e9704ca0a39bfbb1a5436312d253ccee407d7e3e1c628906
SHA512

5d6e7245c6dcaae6aa244a2d26a51587f1f0fd1a92a96f83d1e19f67e4e9516d04a81abff258eb40206eeab9eb46378f9743ba02d5fbeb4e8a5bf7f06fb5a4ab
SSDEEP

12288:X/Qgxsoz8Og3FPb5kBCpDGRlvDKAB2sPaVeOx:v4TDFP3o/vDKKFPaJ

Score

10^/10

lumma discovery evasion persistence stealer trojan upx

Malware Config

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	GalaxyInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	GalaxySetup.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	GOG_Galaxy_Ghostrunner.exe

Executes dropped EXE 15 IoCs

pid	Process
1644	GalaxyInstaller.exe
4156	GalaxySetup.exe
3456	GalaxySetup.tmp
5112	VC_redist.x86.exe
800	VC_redist.x86.exe
4724	VC_redist.x64.exe
4136	VC_redist.x64.exe
4808	GalaxyClient.exe
4484	GalaxyClientService.exe
3756	GalaxyClient.exe
1864	GalaxyClientService.exe
620	GalaxyClient.exe
4272	GalaxyClientService.exe
956	GalaxyClient Helper.exe
3492	GalaxyClient Helper.exe

Loads dropped DLL 64 IoCs

pid	Process
3456	GalaxySetup.tmp
3456	GalaxySetup.tmp
3456	GalaxySetup.tmp
3456	GalaxySetup.tmp
800	VC_redist.x86.exe
4136	VC_redist.x64.exe
4808	GalaxyClient.exe
4808	GalaxyClient.exe
4808	GalaxyClient.exe
4808	GalaxyClient.exe
4808	GalaxyClient.exe
4808	GalaxyClient.exe
4808	GalaxyClient.exe
4808	GalaxyClient.exe
4808	GalaxyClient.exe
4808	GalaxyClient.exe
4808	GalaxyClient.exe
4808	GalaxyClient.exe
4808	GalaxyClient.exe
4808	GalaxyClient.exe
4808	GalaxyClient.exe
4808	GalaxyClient.exe
4808	GalaxyClient.exe
4808	GalaxyClient.exe
4808	GalaxyClient.exe
4484	GalaxyClientService.exe
4484	GalaxyClientService.exe
4484	GalaxyClientService.exe
4484	GalaxyClientService.exe
4484	GalaxyClientService.exe
4484	GalaxyClientService.exe
4484	GalaxyClientService.exe
4484	GalaxyClientService.exe
4484	GalaxyClientService.exe
4484	GalaxyClientService.exe
4484	GalaxyClientService.exe
4484	GalaxyClientService.exe
4484	GalaxyClientService.exe
4484	GalaxyClientService.exe
4808	GalaxyClient.exe
3756	GalaxyClient.exe
3756	GalaxyClient.exe
3756	GalaxyClient.exe
3756	GalaxyClient.exe
3756	GalaxyClient.exe
3756	GalaxyClient.exe
3756	GalaxyClient.exe
3756	GalaxyClient.exe
3756	GalaxyClient.exe
3756	GalaxyClient.exe
3756	GalaxyClient.exe
3756	GalaxyClient.exe
3756	GalaxyClient.exe
3756	GalaxyClient.exe
3756	GalaxyClient.exe
3756	GalaxyClient.exe
3756	GalaxyClient.exe
3756	GalaxyClient.exe
3756	GalaxyClient.exe
1864	GalaxyClientService.exe
1864	GalaxyClientService.exe
1864	GalaxyClientService.exe
1864	GalaxyClientService.exe
1864	GalaxyClientService.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1304-133-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/1304-163-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/1304-2758-0x0000000000400000-0x000000000051C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	GalaxySetup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GalaxyClient	GalaxySetup.tmp
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	GalaxyClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GogGalaxy = "C:\\Program Files (x86)\\GOG Galaxy\\GalaxyClient.exe /launchViaAutoStart"	GalaxyClient.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GalaxyClient.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GalaxyClient.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GalaxyClient.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\chardet\is-1F15H.tmp	GalaxySetup.tmp
File opened for modification	C:\Program Files (x86)\GOG Galaxy\PocoXml.dll	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\is-D65HQ.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\chardet\is-DJ8JS.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\idna\is-1ANRV.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\src\images\circleIcon\is-MHIIB.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\dateutil\is-06S5N.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\images\gameImgPlaceholders\is-CULNG.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\locales\fr-FR\is-RT2JB.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\is-GGKFM.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\is-5B15E.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\is-TKH4U.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\dateutil\tz\is-0I5QU.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\src\images\circleIcon\is-PTT5S.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\is-U2CJN.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\aiohttp\is-ATTMR.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\images\gogGalaxyLogo\is-AA2MK.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\images\cp2077\is-155UB.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\is-PRB3N.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\attr\is-HUSBM.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\multidict\_multilib\is-EOIEK.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\licences\LatoWeb Font\is-5JIBB.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\is-DO2LK.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\.hash\is-6TEU9.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\galaxy\unittest\is-5S8PO.tmp	GalaxySetup.tmp
File opened for modification	C:\Program Files (x86)\GOG Galaxy\python\libssl-1_1.dll	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\aiohttp\is-ASI36.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\chardet\is-5I0FT.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\Icons\is-LBOD8.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\dateutil\parser\is-G4HDC.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\attr\is-LK3CB.tmp	GalaxySetup.tmp
File opened for modification	C:\Program Files (x86)\GOG Galaxy\wntdll.pdb	GalaxyClient.exe
File created	C:\Program Files (x86)\GOG Galaxy\web\src\icons\avatarMask\is-KDPTD.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\is-SUS88.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\src\fonts\Oswald\is-2VFCC.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\attr\is-A6APB.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\idna\is-4ST38.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\dateutil\is-DCRGB.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\images\gameImgPlaceholders\is-LM3UJ.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\is-5UM66.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\chardet\is-4AVB8.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\yarl\is-4P8R6.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\src\fonts\LatoWeb\is-GT2O6.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\is-2QVLT.tmp	GalaxySetup.tmp
File opened for modification	C:\Program Files (x86)\GOG Galaxy\Qt5Core.dll	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\is-PR10R.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\images\cp2077\is-0UM4I.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\attr\is-I9S1V.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\angularLocales\is-O9IR1.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\images\discover\welcomeOfferCovers\is-ON4BN.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\src\images\circleIcon\is-VP4CS.tmp	GalaxySetup.tmp
File opened for modification	C:\Program Files (x86)\GOG Galaxy\dll\wntdll.pdb	GalaxyClient.exe
File created	C:\Program Files (x86)\GOG Galaxy\is-EDAQV.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\chardet\cli\is-QA67P.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\images\cp2077\is-CGKBT.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\src\fonts\LatoWeb\is-2AUIJ.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\src\images\circleIcon\is-2NQ73.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\chardet\is-9V61V.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\locales\is-OUJV4.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\locales\ko-KR\is-4CC4C.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\whatsNew\is-HGFHG.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\is-QRI2I.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\attr\is-5KPKK.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\aiohttp\.hash\is-HU56T.tmp	GalaxySetup.tmp

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\is-F5899.tmp	GalaxySetup.tmp
File created	C:\Windows\Fonts\is-HOA6C.tmp	GalaxySetup.tmp
File created	C:\Windows\Fonts\is-G7R03.tmp	GalaxySetup.tmp
File created	C:\Windows\Fonts\is-AO569.tmp	GalaxySetup.tmp
File created	C:\Windows\Fonts\is-CKOH5.tmp	GalaxySetup.tmp
File created	C:\Windows\Fonts\is-UTFML.tmp	GalaxySetup.tmp
File created	C:\Windows\Fonts\is-00RUD.tmp	GalaxySetup.tmp
File created	C:\Windows\Fonts\is-ASR2H.tmp	GalaxySetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3600	3756	WerFault.exe	106

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1013461898-3711306144-4198452673-1000\{6AC1E8DF-7DBF-46D9-9327-0FE18FC648B0}	GalaxyClient Helper.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\goggalaxy	GalaxyClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\goggalaxy\URL Protocol	GalaxyClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\goggalaxy\shell\open\command	GalaxyClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\goggalaxy\shell	GalaxyClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\goggalaxy\shell\open	GalaxyClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\goggalaxy\shell\open\command\ = "\"C:\\Program Files (x86)\\GOG Galaxy\\GalaxyClient.exe\" /urlProtocol=\"%1\""	GalaxyClient.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	GalaxyClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	GalaxyClient.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	GalaxyClient.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	GalaxyClient.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	GalaxyClient.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	GalaxyClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	GalaxyClient.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	GalaxyClient.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
3456	GalaxySetup.tmp
3456	GalaxySetup.tmp
4808	GalaxyClient.exe
4808	GalaxyClient.exe
4808	GalaxyClient.exe
4808	GalaxyClient.exe
4484	GalaxyClientService.exe
4484	GalaxyClientService.exe
4484	GalaxyClientService.exe
4484	GalaxyClientService.exe
4484	GalaxyClientService.exe
4484	GalaxyClientService.exe
4484	GalaxyClientService.exe
4484	GalaxyClientService.exe
3756	GalaxyClient.exe
3756	GalaxyClient.exe
1864	GalaxyClientService.exe
1864	GalaxyClientService.exe
620	GalaxyClient.exe
620	GalaxyClient.exe
4272	GalaxyClientService.exe
4272	GalaxyClientService.exe
956	GalaxyClient Helper.exe
956	GalaxyClient Helper.exe
956	GalaxyClient Helper.exe
956	GalaxyClient Helper.exe
956	GalaxyClient Helper.exe
956	GalaxyClient Helper.exe
956	GalaxyClient Helper.exe
956	GalaxyClient Helper.exe
3492	GalaxyClient Helper.exe
3492	GalaxyClient Helper.exe
3492	GalaxyClient Helper.exe
3492	GalaxyClient Helper.exe
3492	GalaxyClient Helper.exe
3492	GalaxyClient Helper.exe
3492	GalaxyClient Helper.exe
3492	GalaxyClient Helper.exe
3492	GalaxyClient Helper.exe
3492	GalaxyClient Helper.exe
620	GalaxyClient.exe
620	GalaxyClient.exe
956	GalaxyClient Helper.exe
956	GalaxyClient Helper.exe
956	GalaxyClient Helper.exe
956	GalaxyClient Helper.exe
3492	GalaxyClient Helper.exe
3492	GalaxyClient Helper.exe
3492	GalaxyClient Helper.exe
3492	GalaxyClient Helper.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	GalaxyInstaller.exe
Token: SeTakeOwnershipPrivilege	4808	GalaxyClient.exe
Token: SeRestorePrivilege	4808	GalaxyClient.exe
Token: SeTakeOwnershipPrivilege	4808	GalaxyClient.exe
Token: SeRestorePrivilege	4808	GalaxyClient.exe
Token: SeTakeOwnershipPrivilege	4484	GalaxyClientService.exe
Token: SeRestorePrivilege	4484	GalaxyClientService.exe
Token: SeTakeOwnershipPrivilege	4484	GalaxyClientService.exe
Token: SeRestorePrivilege	4484	GalaxyClientService.exe
Token: SeTakeOwnershipPrivilege	4484	GalaxyClientService.exe
Token: SeRestorePrivilege	4484	GalaxyClientService.exe
Token: SeTakeOwnershipPrivilege	4484	GalaxyClientService.exe
Token: SeRestorePrivilege	4484	GalaxyClientService.exe
Token: SeTakeOwnershipPrivilege	4484	GalaxyClientService.exe
Token: SeRestorePrivilege	4484	GalaxyClientService.exe
Token: SeTakeOwnershipPrivilege	4484	GalaxyClientService.exe
Token: SeRestorePrivilege	4484	GalaxyClientService.exe
Token: SeTakeOwnershipPrivilege	4484	GalaxyClientService.exe
Token: SeRestorePrivilege	4484	GalaxyClientService.exe
Token: SeTakeOwnershipPrivilege	4484	GalaxyClientService.exe
Token: SeRestorePrivilege	4484	GalaxyClientService.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3456	GalaxySetup.tmp

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4808	GalaxyClient.exe
4484	GalaxyClientService.exe
4808	GalaxyClient.exe
4808	GalaxyClient.exe
3756	GalaxyClient.exe
1864	GalaxyClientService.exe
620	GalaxyClient.exe
4272	GalaxyClientService.exe
620	GalaxyClient.exe
620	GalaxyClient.exe
620	GalaxyClient.exe
620	GalaxyClient.exe
620	GalaxyClient.exe
620	GalaxyClient.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 1644	1304	GOG_Galaxy_Ghostrunner.exe	87
PID 1304 wrote to memory of 1644	1304	GOG_Galaxy_Ghostrunner.exe	87
PID 1644 wrote to memory of 4156	1644	GalaxyInstaller.exe	97
PID 1644 wrote to memory of 4156	1644	GalaxyInstaller.exe	97
PID 1644 wrote to memory of 4156	1644	GalaxyInstaller.exe	97
PID 4156 wrote to memory of 3456	4156	GalaxySetup.exe	98
PID 4156 wrote to memory of 3456	4156	GalaxySetup.exe	98
PID 4156 wrote to memory of 3456	4156	GalaxySetup.exe	98
PID 3456 wrote to memory of 5112	3456	GalaxySetup.tmp	99
PID 3456 wrote to memory of 5112	3456	GalaxySetup.tmp	99
PID 3456 wrote to memory of 5112	3456	GalaxySetup.tmp	99
PID 5112 wrote to memory of 800	5112	VC_redist.x86.exe	100
PID 5112 wrote to memory of 800	5112	VC_redist.x86.exe	100
PID 5112 wrote to memory of 800	5112	VC_redist.x86.exe	100
PID 3456 wrote to memory of 4724	3456	GalaxySetup.tmp	101
PID 3456 wrote to memory of 4724	3456	GalaxySetup.tmp	101
PID 3456 wrote to memory of 4724	3456	GalaxySetup.tmp	101
PID 4724 wrote to memory of 4136	4724	VC_redist.x64.exe	102
PID 4724 wrote to memory of 4136	4724	VC_redist.x64.exe	102
PID 4724 wrote to memory of 4136	4724	VC_redist.x64.exe	102
PID 3456 wrote to memory of 4808	3456	GalaxySetup.tmp	104
PID 3456 wrote to memory of 4808	3456	GalaxySetup.tmp	104
PID 3456 wrote to memory of 4808	3456	GalaxySetup.tmp	104
PID 3456 wrote to memory of 3756	3456	GalaxySetup.tmp	106
PID 3456 wrote to memory of 3756	3456	GalaxySetup.tmp	106
PID 3456 wrote to memory of 3756	3456	GalaxySetup.tmp	106
PID 1304 wrote to memory of 620	1304	GOG_Galaxy_Ghostrunner.exe	111
PID 1304 wrote to memory of 620	1304	GOG_Galaxy_Ghostrunner.exe	111
PID 1304 wrote to memory of 620	1304	GOG_Galaxy_Ghostrunner.exe	111
PID 620 wrote to memory of 956	620	GalaxyClient.exe	114
PID 620 wrote to memory of 956	620	GalaxyClient.exe	114
PID 620 wrote to memory of 956	620	GalaxyClient.exe	114
PID 620 wrote to memory of 3492	620	GalaxyClient.exe	115
PID 620 wrote to memory of 3492	620	GalaxyClient.exe	115
PID 620 wrote to memory of 3492	620	GalaxyClient.exe	115

C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_Ghostrunner.exe
"C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_Ghostrunner.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_gqFzK\GalaxyInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_gqFzK\GalaxyInstaller.exe" 1957528513 "Ghostrunner"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_gqFzK\GalaxySetup.exe
    "C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_gqFzK\GalaxySetup.exe" /lang=en_US /webinstaller /product_id=1957528513 /silent /game_name="Ghostrunner"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Users\Admin\AppData\Local\Temp\is-C8PC3.tmp\GalaxySetup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-C8PC3.tmp\GalaxySetup.tmp" /SL5="$1101F6,271706050,1268224,C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_gqFzK\GalaxySetup.exe" /lang=en_US /webinstaller /product_id=1957528513 /silent /game_name="Ghostrunner"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3456
    - - C:\Users\Admin\AppData\Local\Temp\is-GS228.tmp\VC_redist.x86.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-GS228.tmp\VC_redist.x86.exe" /install /quiet /norestart
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5112
      - C:\Windows\Temp\{DC6E0A48-5AEE-4B79-AEBD-38E0E2527264}\.cr\VC_redist.x86.exe
        
        "C:\Windows\Temp\{DC6E0A48-5AEE-4B79-AEBD-38E0E2527264}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-GS228.tmp\VC_redist.x86.exe" -burn.filehandle.attached=648 -burn.filehandle.self=540 /install /quiet /norestart
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:800
    - - C:\Users\Admin\AppData\Local\Temp\is-GS228.tmp\VC_redist.x64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-GS228.tmp\VC_redist.x64.exe" /install /quiet /norestart
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4724
      - C:\Windows\Temp\{37ADA326-3CBB-4D50-A88A-5A245D4C7CD5}\.cr\VC_redist.x64.exe
        
        "C:\Windows\Temp\{37ADA326-3CBB-4D50-A88A-5A245D4C7CD5}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-GS228.tmp\VC_redist.x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=556 /install /quiet /norestart
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4136
    - - C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe
        
        "C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe" /firstRun /installationSource=usedefault
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4808
    - - C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe
        
        "C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe" /clientLanguage=en-US
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3756
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 948
        6⤵
        Program crash
        
        PID:3600
- C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe
  "C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe" /command=installationScreen /gameId=1957528513
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Program Files (x86)\GOG Galaxy\GalaxyClient Helper.exe
    "C:\Program Files (x86)\GOG Galaxy\GalaxyClient Helper.exe" --type=gpu-process --field-trial-handle=3564,15082781730393255048,6717436579725562548,131072 --disable-features=NetworkService --no-sandbox --log-file="C:\ProgramData\GOG.com\Galaxy\logs\cef.log" --log-severity=info --user-agent="GOGGalaxyClient/2.0.65.11 (GOG Galaxy) 83b6745cff679691b69876bc7ee33e05e5d90bda (win10 x64)" --lang=en-US --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --log-file="C:\ProgramData\GOG.com\Galaxy\logs\cef.log" --service-request-channel-token=12676081913681191764 --mojo-platform-channel-handle=3572 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:956
- - C:\Program Files (x86)\GOG Galaxy\GalaxyClient Helper.exe
    "C:\Program Files (x86)\GOG Galaxy\GalaxyClient Helper.exe" --type=renderer --no-sandbox --autoplay-policy=no-user-gesture-required --disable-threaded-scrolling --js-flags=--expose-gc --log-file="C:\ProgramData\GOG.com\Galaxy\logs\cef.log" --field-trial-handle=3564,15082781730393255048,6717436579725562548,131072 --disable-features=NetworkService --enable-blink-features=CSSBackdropFilter,AsyncClipboard --lang=en-US --log-file="C:\ProgramData\GOG.com\Galaxy\logs\cef.log" --log-severity=info --user-agent="GOGGalaxyClient/2.0.65.11 (GOG Galaxy) 83b6745cff679691b69876bc7ee33e05e5d90bda (win10 x64)" --disable-pdf-extension --disable-spell-checking --uncaught-exception-stack-size=999 --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=343117668445981115 --renderer-client-id=3 --mojo-platform-channel-handle=4320 /prefetch:1
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3492

C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe
"C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4484

C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe
"C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3756 -ip 3756
1⤵
PID:1116

C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe
"C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe

Filesize
13.2MB

MD5
0658a4d0c13dcfab4dbde805f6e6860e

SHA1
6b2579402e748c7ca1efe1f9bb1829b935e2e7a3

SHA256
128fbd3e7bc974a324006f8a3b698c304de9b68acac4def6068bee651b4ea97b

SHA512
eae31bf35bc820d6f153e01934e456224f1de37f591cb71cd31fdb745e7fad28d6434a0c9166a0d94cb44778b1053a02e63d68f64552587ad7bfeb8caa11c274

Download Submit
C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe

Filesize
13.2MB

MD5
0658a4d0c13dcfab4dbde805f6e6860e

SHA1
6b2579402e748c7ca1efe1f9bb1829b935e2e7a3

SHA256
128fbd3e7bc974a324006f8a3b698c304de9b68acac4def6068bee651b4ea97b

SHA512
eae31bf35bc820d6f153e01934e456224f1de37f591cb71cd31fdb745e7fad28d6434a0c9166a0d94cb44778b1053a02e63d68f64552587ad7bfeb8caa11c274

Download Submit
C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe

Filesize
13.2MB

MD5
0658a4d0c13dcfab4dbde805f6e6860e

SHA1
6b2579402e748c7ca1efe1f9bb1829b935e2e7a3

SHA256
128fbd3e7bc974a324006f8a3b698c304de9b68acac4def6068bee651b4ea97b

SHA512
eae31bf35bc820d6f153e01934e456224f1de37f591cb71cd31fdb745e7fad28d6434a0c9166a0d94cb44778b1053a02e63d68f64552587ad7bfeb8caa11c274

Download Submit
C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe

Filesize
2.2MB

MD5
76747c5133c8771ea8409e7875896394

SHA1
a02d239a3bfde4f6b3606dbe1856d4edc21d9925

SHA256
c7e15a14885a8c887a8f6227eb58a80e17309079307c03eec496cc8d0bc00177

SHA512
9657d0ef6b1d080d7abea8ac1b65f5e61ba3155952b6dc76e3ccb2b89da64759bcf3d0e999f44f50f4c5f1c9d57fcd22d9ae6e8aa61ea75c70dcc08faf756335

Download Submit
C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe

Filesize
2.2MB

MD5
76747c5133c8771ea8409e7875896394

SHA1
a02d239a3bfde4f6b3606dbe1856d4edc21d9925

SHA256
c7e15a14885a8c887a8f6227eb58a80e17309079307c03eec496cc8d0bc00177

SHA512
9657d0ef6b1d080d7abea8ac1b65f5e61ba3155952b6dc76e3ccb2b89da64759bcf3d0e999f44f50f4c5f1c9d57fcd22d9ae6e8aa61ea75c70dcc08faf756335

Download Submit
C:\Program Files (x86)\GOG Galaxy\PocoData.dll

Filesize
1.7MB

MD5
7818a804fa9fd0f9a09263b6b35325fc

SHA1
590971157aa72d48f7939556a7554bc9d8975cd5

SHA256
f2fd84a60790d043b531ec8eef9ad2cc961270e5f34096db1331388f1fa80416

SHA512
63a9821c2a23f2f91ef1893e69a902065596e138850b825df8fb54ceed5ff551cde623049521a78821dce48720a8ae2ed53a8927ae0f404a905a24243fece561

Download Submit
C:\Program Files (x86)\GOG Galaxy\PocoData.dll

Filesize
1.7MB

MD5
7818a804fa9fd0f9a09263b6b35325fc

SHA1
590971157aa72d48f7939556a7554bc9d8975cd5

SHA256
f2fd84a60790d043b531ec8eef9ad2cc961270e5f34096db1331388f1fa80416

SHA512
63a9821c2a23f2f91ef1893e69a902065596e138850b825df8fb54ceed5ff551cde623049521a78821dce48720a8ae2ed53a8927ae0f404a905a24243fece561

Download Submit
C:\Program Files (x86)\GOG Galaxy\PocoDataSQLite.dll

Filesize
372KB

MD5
dd7065f6e3bd80c6e7e6419e2475c8a8

SHA1
f01ce83abf97c075fdad042cf6e3f994110ceb78

SHA256
0c1b8043c56a29366da4e7065060201b9f82beba9d1c3c6c393f1a04dc2b136c

SHA512
00656505b68db7bad3a78e283517fb1b2a21217245317334eb6457466564e04ef85a454adbbc97927430da6a6654a66bfaa756808e22dc394413b7bdf434a6c5

Download Submit
C:\Program Files (x86)\GOG Galaxy\PocoDataSQLite.dll

Filesize
372KB

MD5
dd7065f6e3bd80c6e7e6419e2475c8a8

SHA1
f01ce83abf97c075fdad042cf6e3f994110ceb78

SHA256
0c1b8043c56a29366da4e7065060201b9f82beba9d1c3c6c393f1a04dc2b136c

SHA512
00656505b68db7bad3a78e283517fb1b2a21217245317334eb6457466564e04ef85a454adbbc97927430da6a6654a66bfaa756808e22dc394413b7bdf434a6c5

Download Submit
C:\Program Files (x86)\GOG Galaxy\PocoFoundation.dll

Filesize
1.7MB

MD5
3e72226a19d731e0d0baa1e9a2017dd7

SHA1
d1ea639b8a0532f9ce092861016f79d672dcef25

SHA256
97190cd46762d1947922ff330a406a2bc74c5bcd8e29b937be6ebddbfa3a43c8

SHA512
eedc3c54196c37c08d9c9651b378db8f431c76fce206801ae1f29f0fac8a3b37a076d8610070ff5ac1b90866517b09beaa447018155b53350d8fdabdca44f541

Download Submit
C:\Program Files (x86)\GOG Galaxy\PocoFoundation.dll

Filesize
1.7MB

MD5
3e72226a19d731e0d0baa1e9a2017dd7

SHA1
d1ea639b8a0532f9ce092861016f79d672dcef25

SHA256
97190cd46762d1947922ff330a406a2bc74c5bcd8e29b937be6ebddbfa3a43c8

SHA512
eedc3c54196c37c08d9c9651b378db8f431c76fce206801ae1f29f0fac8a3b37a076d8610070ff5ac1b90866517b09beaa447018155b53350d8fdabdca44f541

Download Submit
C:\Program Files (x86)\GOG Galaxy\PocoJSON.dll

Filesize
338KB

MD5
c645048dcbff4fd35d51a254c18dc131

SHA1
a3c9b97073d69318979a4d1bb66f02edc7ccdd88

SHA256
ea3fb61653067989f3c95126cb6b470057f3f281fda7152f0940af8677e87a53

SHA512
421f45e6f501aeca01ecfe876d0406404eacc13f4bdc8931e9ef46cf6487e3593394042c29169a6af0a8961f95aaa1ff06576da7b495e6fa039568d24723e6ca

Download Submit
C:\Program Files (x86)\GOG Galaxy\PocoJSON.dll

Filesize
338KB

MD5
c645048dcbff4fd35d51a254c18dc131

SHA1
a3c9b97073d69318979a4d1bb66f02edc7ccdd88

SHA256
ea3fb61653067989f3c95126cb6b470057f3f281fda7152f0940af8677e87a53

SHA512
421f45e6f501aeca01ecfe876d0406404eacc13f4bdc8931e9ef46cf6487e3593394042c29169a6af0a8961f95aaa1ff06576da7b495e6fa039568d24723e6ca

Download Submit
C:\Program Files (x86)\GOG Galaxy\PocoNet.dll

Filesize
1.3MB

MD5
8fbf4845c06da70e17e40376244b97ba

SHA1
488bb2cfc96dbe103425b9657ddfd646aae4388c

SHA256
fef566ecb133f2d13d18980b8ad667ed202957be7d8716721e9da83f5bb1e04b

SHA512
c1eafd234fe4b5aad87759931edd9c0f8bd902f35b78bbec699b5a5d882011ad7c0a780b781518f4d98c7c880115e1aa57795d5fe138001a7184114d6880c5c1

Download Submit
C:\Program Files (x86)\GOG Galaxy\PocoNet.dll

Filesize
1.3MB

MD5
8fbf4845c06da70e17e40376244b97ba

SHA1
488bb2cfc96dbe103425b9657ddfd646aae4388c

SHA256
fef566ecb133f2d13d18980b8ad667ed202957be7d8716721e9da83f5bb1e04b

SHA512
c1eafd234fe4b5aad87759931edd9c0f8bd902f35b78bbec699b5a5d882011ad7c0a780b781518f4d98c7c880115e1aa57795d5fe138001a7184114d6880c5c1

Download Submit
C:\Program Files (x86)\GOG Galaxy\PocoUtil.dll

Filesize
526KB

MD5
9cb7c18b68e61c0eac049a3d7d0b970c

SHA1
83f17545fc35c2e1a0b627236309d8c0933a67d3

SHA256
0d0a7c34d2b972fad2a1ec4df2ef604b55742b5e43f42d254851ad6bb5ffe609

SHA512
9bc86e1199540e5299e61d7b873d70d3668f1e281b9dff2fba555d45cab99e23263d49ce50a4d217e0dcf3e3090a5af0e9dd64b32aec14b5ef6edaaec6e29aa4

Download Submit
C:\Program Files (x86)\GOG Galaxy\PocoUtil.dll

Filesize
526KB

MD5
9cb7c18b68e61c0eac049a3d7d0b970c

SHA1
83f17545fc35c2e1a0b627236309d8c0933a67d3

SHA256
0d0a7c34d2b972fad2a1ec4df2ef604b55742b5e43f42d254851ad6bb5ffe609

SHA512
9bc86e1199540e5299e61d7b873d70d3668f1e281b9dff2fba555d45cab99e23263d49ce50a4d217e0dcf3e3090a5af0e9dd64b32aec14b5ef6edaaec6e29aa4

Download Submit
C:\Program Files (x86)\GOG Galaxy\PocoXML.dll

Filesize
539KB

MD5
ed29d945a6e4ab83974d783e5a910d20

SHA1
4a008b7dcd527fd2ad6b0e4211f431a983104605

SHA256
c12cc8c1f3202c19729538fd3b38b7627cdc122bdad7efdfd37bfac236d7839e

SHA512
8d6eb5ed8ac4b1f95f2f10d0241e130a60540a10b48bb7bb5ced23c6847d333e7818145cfeb93073b2370c216f627f0d7d0a0844e036e9b726a56a4a06409f2f

Download Submit
C:\Program Files (x86)\GOG Galaxy\PocoXml.dll

Filesize
539KB

MD5
ed29d945a6e4ab83974d783e5a910d20

SHA1
4a008b7dcd527fd2ad6b0e4211f431a983104605

SHA256
c12cc8c1f3202c19729538fd3b38b7627cdc122bdad7efdfd37bfac236d7839e

SHA512
8d6eb5ed8ac4b1f95f2f10d0241e130a60540a10b48bb7bb5ced23c6847d333e7818145cfeb93073b2370c216f627f0d7d0a0844e036e9b726a56a4a06409f2f

Download Submit
C:\Program Files (x86)\GOG Galaxy\PocoZip.dll

Filesize
287KB

MD5
fe8390a1579b4d0ac0f168bc59a70ae0

SHA1
927f98a0c58e96de4886bb5253b538627de9e823

SHA256
feb6006bd1fa6224313fc02d70c38da1c95827152452370c8aa2087e122b02ce

SHA512
d924a509933dcfe97b79ef4f715107c55f931058391f7a782cf496a84dfe42656e5f7a523dbbc7b21cf51cbea8aa02b43a5392e2b0e6a4f06a97d504eebb1f7d

Download Submit
C:\Program Files (x86)\GOG Galaxy\PocoZip.dll

Filesize
287KB

MD5
fe8390a1579b4d0ac0f168bc59a70ae0

SHA1
927f98a0c58e96de4886bb5253b538627de9e823

SHA256
feb6006bd1fa6224313fc02d70c38da1c95827152452370c8aa2087e122b02ce

SHA512
d924a509933dcfe97b79ef4f715107c55f931058391f7a782cf496a84dfe42656e5f7a523dbbc7b21cf51cbea8aa02b43a5392e2b0e6a4f06a97d504eebb1f7d

Download Submit
C:\Program Files (x86)\GOG Galaxy\Qt5Core.dll

Filesize
5.1MB

MD5
ecd2fed8765416bf429f32f14cc5c747

SHA1
00f09763508c58be76a0ef0b348358a0802d4745

SHA256
e9087632fe379f46fc8d6b4f9dfe6b167640c914873ef033d4bfe9138614d7e8

SHA512
77d38303cb59cdcf68cc779d2c40fad0a327d0258802749aeb5b5b25647bc6c687e5b5a10ce8448dc7c6083267a3a86da747540b2eb15e03fd169478851a2057

Download Submit
C:\Program Files (x86)\GOG Galaxy\Qt5Core.dll

Filesize
5.1MB

MD5
ecd2fed8765416bf429f32f14cc5c747

SHA1
00f09763508c58be76a0ef0b348358a0802d4745

SHA256
e9087632fe379f46fc8d6b4f9dfe6b167640c914873ef033d4bfe9138614d7e8

SHA512
77d38303cb59cdcf68cc779d2c40fad0a327d0258802749aeb5b5b25647bc6c687e5b5a10ce8448dc7c6083267a3a86da747540b2eb15e03fd169478851a2057

Download Submit
C:\Program Files (x86)\GOG Galaxy\Qt5Gui.dll

Filesize
5.6MB

MD5
68c19f9f45a98734a6e42745a75ff2d3

SHA1
1f39560b10ab2bf6f3fab76a3be5f305b169fcaa

SHA256
1233ea25703cc1830f658f379bc3e2e4486ea08b9beb356b5d0e4e0a1d4a3329

SHA512
df7e50d8b17f415c9e2ae33851294370a72ab2368b4cf0cc6c5883740ddd7daa02ecd918440c21c5421bc149c0d611220aab4e51f3fd674b9adf167a79f95e41

Download Submit
C:\Program Files (x86)\GOG Galaxy\Qt5Gui.dll

Filesize
5.6MB

MD5
68c19f9f45a98734a6e42745a75ff2d3

SHA1
1f39560b10ab2bf6f3fab76a3be5f305b169fcaa

SHA256
1233ea25703cc1830f658f379bc3e2e4486ea08b9beb356b5d0e4e0a1d4a3329

SHA512
df7e50d8b17f415c9e2ae33851294370a72ab2368b4cf0cc6c5883740ddd7daa02ecd918440c21c5421bc149c0d611220aab4e51f3fd674b9adf167a79f95e41

Download Submit
C:\Program Files (x86)\GOG Galaxy\Qt5Network.dll

Filesize
1.0MB

MD5
9dcd0f88d822d9e8f5d72dc15f53fb71

SHA1
5e06d4ec06f720a06320bf660fe5f34a460af200

SHA256
99dd9ff6dda27004de1b43e01cf9d5e415c45fd9bfc05e6293ba87a8109e86c5

SHA512
cc39d393ff5f31827bb92a2c30736575b8464f9ccdc14493785d77bcc7cea8125ee9124b09465619cd9dc73e971a3f480c5ed4f64adf62133c3b86032d328b5a

Download Submit
C:\Program Files (x86)\GOG Galaxy\Qt5Network.dll

Filesize
1.0MB

MD5
9dcd0f88d822d9e8f5d72dc15f53fb71

SHA1
5e06d4ec06f720a06320bf660fe5f34a460af200

SHA256
99dd9ff6dda27004de1b43e01cf9d5e415c45fd9bfc05e6293ba87a8109e86c5

SHA512
cc39d393ff5f31827bb92a2c30736575b8464f9ccdc14493785d77bcc7cea8125ee9124b09465619cd9dc73e971a3f480c5ed4f64adf62133c3b86032d328b5a

Download Submit
C:\Program Files (x86)\GOG Galaxy\chrome_elf.dll

Filesize
703KB

MD5
884537665618e90e195912a01fc0b007

SHA1
0dfb2689ed2b37260392776a6aa4025b31c5025f

SHA256
98a132ff75b044ce9a666148cce3742214a8525f3c839f4c2a47356aeb93e652

SHA512
02eb60c9e42d1477aa5c27e0c38af1757b09738c2e287964fa5aa510547abf0cef6050f9ae64442250634a8fd21ad345c3fd3432466cecffad384805ed3d6461

Download Submit
C:\Program Files (x86)\GOG Galaxy\chrome_elf.dll

Filesize
703KB

MD5
884537665618e90e195912a01fc0b007

SHA1
0dfb2689ed2b37260392776a6aa4025b31c5025f

SHA256
98a132ff75b044ce9a666148cce3742214a8525f3c839f4c2a47356aeb93e652

SHA512
02eb60c9e42d1477aa5c27e0c38af1757b09738c2e287964fa5aa510547abf0cef6050f9ae64442250634a8fd21ad345c3fd3432466cecffad384805ed3d6461

Download Submit
C:\Program Files (x86)\GOG Galaxy\libcef.dll

Filesize
90.3MB

MD5
f380b5b90187ad35f34d3ca0c3051948

SHA1
2bd45db66c4b64b3fda98d841598274c4ac21f29

SHA256
fe0b72b8372d60da2d7ed73451d59720d49a54ee71274a8a9e678b4e9c1fbbc0

SHA512
c92a7bdfd76ceb2ee8088b2d4f3ce738b43448a96a97360b520594620ee6014c7a8643780b0ab0c9da8f6587508311e508690b7523136c133580bc7d2b73d85a

Download Submit
C:\Program Files (x86)\GOG Galaxy\libcef.dll

Filesize
90.3MB

MD5
f380b5b90187ad35f34d3ca0c3051948

SHA1
2bd45db66c4b64b3fda98d841598274c4ac21f29

SHA256
fe0b72b8372d60da2d7ed73451d59720d49a54ee71274a8a9e678b4e9c1fbbc0

SHA512
c92a7bdfd76ceb2ee8088b2d4f3ce738b43448a96a97360b520594620ee6014c7a8643780b0ab0c9da8f6587508311e508690b7523136c133580bc7d2b73d85a

Download Submit
C:\Program Files (x86)\GOG Galaxy\libcrypto-1_1.dll

Filesize
2.4MB

MD5
e863188d86f3291d101d3165a57f42c1

SHA1
d22b38ef7fb33203506a997114ec1bbf54df8a35

SHA256
ef31c88b93350311ec3b55d8a6a1279bf919196ae268254a51e698a049045321

SHA512
18d84e4ab9012d20b041cb4409486c41267e141196c4bc249bb7b1f3b5ca6c4641f4664a510c81d2f4ffcaac3af149035f2ec1699ffbe61a15ab7b7d651d39e5

Download Submit
C:\Program Files (x86)\GOG Galaxy\libcrypto-1_1.dll

Filesize
2.4MB

MD5
e863188d86f3291d101d3165a57f42c1

SHA1
d22b38ef7fb33203506a997114ec1bbf54df8a35

SHA256
ef31c88b93350311ec3b55d8a6a1279bf919196ae268254a51e698a049045321

SHA512
18d84e4ab9012d20b041cb4409486c41267e141196c4bc249bb7b1f3b5ca6c4641f4664a510c81d2f4ffcaac3af149035f2ec1699ffbe61a15ab7b7d651d39e5

Download Submit
C:\Program Files (x86)\GOG Galaxy\libexpat.dll

Filesize
173KB

MD5
657d32eec34d3225b38262a5878e9474

SHA1
22daaca36c1d49bdb8b2851f40596d4cd025dcb0

SHA256
ec4f39fe48a83d113191402d33420728f571df81b46e41e5c37a46845b4d2f62

SHA512
d4889aff3da2fe9d9cbe175b18793af7e82f0fd6e1fb72ec8aeaf0c8e0872f008beb54a2d44f6fd7f389d0ee104c93ecd1998ddbf4f1d0c7be38e802f5c96895

Download Submit
C:\Program Files (x86)\GOG Galaxy\libexpat.dll

Filesize
173KB

MD5
657d32eec34d3225b38262a5878e9474

SHA1
22daaca36c1d49bdb8b2851f40596d4cd025dcb0

SHA256
ec4f39fe48a83d113191402d33420728f571df81b46e41e5c37a46845b4d2f62

SHA512
d4889aff3da2fe9d9cbe175b18793af7e82f0fd6e1fb72ec8aeaf0c8e0872f008beb54a2d44f6fd7f389d0ee104c93ecd1998ddbf4f1d0c7be38e802f5c96895

Download Submit
C:\Program Files (x86)\GOG Galaxy\pcre2-8.dll

Filesize
576KB

MD5
6ff65827e6191c4aebe6d611341ae02e

SHA1
41ecaa87dcc727340e6358251a08d3bab240b58e

SHA256
a149b0e6087f27928cd44ecaf6702399745ceda59001f3918d08f4baacaa7544

SHA512
85d34e0562a72c783ec2ddf2ded5c12ada293032451e4a73b530fffddaca73bbc921d5442b2b18780ae66e41d2c2441a775bbd9b14ddefba2a89984ec282df33

Download Submit
C:\Program Files (x86)\GOG Galaxy\pcre2-8.dll

Filesize
576KB

MD5
6ff65827e6191c4aebe6d611341ae02e

SHA1
41ecaa87dcc727340e6358251a08d3bab240b58e

SHA256
a149b0e6087f27928cd44ecaf6702399745ceda59001f3918d08f4baacaa7544

SHA512
85d34e0562a72c783ec2ddf2ded5c12ada293032451e4a73b530fffddaca73bbc921d5442b2b18780ae66e41d2c2441a775bbd9b14ddefba2a89984ec282df33

Download Submit
C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\is-OHMNL.tmp

Filesize
987KB

MD5
562e8efa4422fdab66fd48ae64dfc7a5

SHA1
22d7f566adfd42c6c18c5a2e2ccd5d5a3bd49706

SHA256
73185706c9d2aa093c5e0511cee6ff5c52db25228924edb8f3edaf5af913d303

SHA512
b513c177f8dc6edd26391af045bbbd57fc31c3346cc78ae1083373247e08405416198682e773a33991b6f311cd4f65fd2656cb55c63668499494eb7454852f0a

Download Submit
C:\Program Files (x86)\GOG Galaxy\sqlite.dll

Filesize
802KB

MD5
570163e4b53390b17bf78af85e8af01d

SHA1
e642d74d485c4a3ed3a339ff3f2497b06033ccf2

SHA256
dd57aabccc4193e57140f7df1ef9e4e03ff06239a9061ba9760a9a799fa4ba9a

SHA512
6ca6f066ca9ede06947a52b519ffa37570f31add071545ff07a3c19227642cbfc9441805ad9635e6a75be54adbc272283074c0fd347acd99a4924dcbb9d4cecc

Download Submit
C:\Program Files (x86)\GOG Galaxy\sqlite.dll

Filesize
802KB

MD5
570163e4b53390b17bf78af85e8af01d

SHA1
e642d74d485c4a3ed3a339ff3f2497b06033ccf2

SHA256
dd57aabccc4193e57140f7df1ef9e4e03ff06239a9061ba9760a9a799fa4ba9a

SHA512
6ca6f066ca9ede06947a52b519ffa37570f31add071545ff07a3c19227642cbfc9441805ad9635e6a75be54adbc272283074c0fd347acd99a4924dcbb9d4cecc

Download Submit
C:\Program Files (x86)\GOG Galaxy\web\is-44GVU.tmp

Filesize
27KB

MD5
f6f79d474faa8870a9378b048571cc9f

SHA1
e4364b1522bd8e77ed00593209753b2eeee9d8db

SHA256
4a6d0dd3e6b99e5d1e6b05c414ac284068b8517f7c3dc1083e8f201635e83174

SHA512
a5dad42f44429ae1d8f04ba2bb06353df741cbe0748a4fe707c9be3c46d8217cd96bc606309a2a8570856e9cafc650102ccfba3e47d66b2299a563160c0d3f71

Download Submit
C:\Program Files (x86)\GOG Galaxy\web\locales\pt-PT\is-5USIR.tmp

Filesize
1KB

MD5
bf804964f529597485b5aa66f76656d8

SHA1
1625addc939cf41ad6677ed2330da32d656d3496

SHA256
4b09dfb390e8e522d12861d0f5e22462658bdacaceaee67bc5132228f9e802d0

SHA512
6c9009c448830cd678be6d6edc28ee5e936ce25ff100c93df66ad24a8f93fc21739ffe80e27d94f400736cf76ae7735ddb7568ffa68ae23a0f566396eb6c4413

Download Submit
C:\Program Files (x86)\GOG Galaxy\xdelta3.dll

Filesize
131KB

MD5
9cfacd6bb21d545f154a3ec82aaf9d93

SHA1
1bbee4abe68031b38256c0f4584adb6aed95ce7b

SHA256
57f498d7770150c5516cccff38dabeb90f54647d8e73a2cd45044155d86ff953

SHA512
71f7d498c4442a6f0956cc030e459c8e53d041ae4e4ab1fe6b4a56d141ae6cee95ef26c10722e11923b9c65a2f90efed94da925095c19b9ec911ca499d84856a

Download Submit
C:\Program Files (x86)\GOG Galaxy\xdelta3.dll

Filesize
131KB

MD5
9cfacd6bb21d545f154a3ec82aaf9d93

SHA1
1bbee4abe68031b38256c0f4584adb6aed95ce7b

SHA256
57f498d7770150c5516cccff38dabeb90f54647d8e73a2cd45044155d86ff953

SHA512
71f7d498c4442a6f0956cc030e459c8e53d041ae4e4ab1fe6b4a56d141ae6cee95ef26c10722e11923b9c65a2f90efed94da925095c19b9ec911ca499d84856a

Download Submit
C:\Program Files (x86)\GOG Galaxy\zlib1.dll

Filesize
104KB

MD5
2a92f0dc6dac8545718ee475b7b961ed

SHA1
c154cdcf10e411f1622e29a7f019ae610f35ddf1

SHA256
3c53b164dfaa56213b081c97d388082a3731f064b44bd5cbcf0876b075a3b890

SHA512
190ef026570129f8a9f03e22866fc8b49597644a53d06bb9c1e0cf37edbf689df86de928fb9bf782797262b1fcf85c52e212156eae94af2cd1ae4b25b3298234

Download Submit
C:\Program Files (x86)\GOG Galaxy\zlib1.dll

Filesize
104KB

MD5
2a92f0dc6dac8545718ee475b7b961ed

SHA1
c154cdcf10e411f1622e29a7f019ae610f35ddf1

SHA256
3c53b164dfaa56213b081c97d388082a3731f064b44bd5cbcf0876b075a3b890

SHA512
190ef026570129f8a9f03e22866fc8b49597644a53d06bb9c1e0cf37edbf689df86de928fb9bf782797262b1fcf85c52e212156eae94af2cd1ae4b25b3298234

Download Submit
C:\ProgramData\GOG.com\Galaxy\changelogs\is-F0G8V.tmp

Filesize
38KB

MD5
4ce143770a3afb2d1005ecef87319043

SHA1
67f4b63535fe977ecf5fa6213e6cbe3b4a375628

SHA256
7ff90a4dd45006cbe6e2e619213230610f1c6c19c7e3b659403e43e656c8373a

SHA512
ca944a89d988b1d6499e79b6425dd0fc8393519d4205815fdc7b5678fc7dc4169816b603d8f007d64b82906215cca790d0f8cdf3f1b47353c2c51133be5b4614

Download Submit
C:\ProgramData\GOG.com\Galaxy\config.json

Filesize
268B

MD5
0983ab2871e1f03d0d78954b0e78ded8

SHA1
c15910cdc2a98840d4731cb477d497dfea23387c

SHA256
375a77b239a3564ed9b2c2ebd3607d9faf3d4fddb0db517ba25942e57629f093

SHA512
87a497a9f216fd7dddaa2ef7e0a9ed930ca5634811de5da124b4444b9aea9e755b434770cd6a1921b5f3b7e10fbafab0f442946122765b016f0a28e38e623f3a

Download Submit
C:\ProgramData\GOG.com\Galaxy\config.json

Filesize
333B

MD5
8aff2bacd43d7ae89a1aca1214ac95e4

SHA1
f03edc36e35032b6f6a611f1bb2349d6ee28e479

SHA256
3097d19d77718ccdca2009b77a12c890e324cf8ee71043335dec1095127dfcf4

SHA512
fb207c234a975fdcaff4f4f153f9d8a7046c2d468cf26415009593c36d79200e0c2c1b53025e36282d559a28ea38eae8f5a05915c2a0662377b9cc9e84b7da82

Download Submit
C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe

Filesize
6.8MB

MD5
e1c21a64a6ac37d90b53befcac265208

SHA1
f43ed1c789ddd49aeb41be2c5cf5c9c6e351c32d

SHA256
a88ee465f8818f0cecae7d84926bccca5e58a40d03dbc827b2525726771f8d9c

SHA512
67ac3776d332362f2c883c80e0907935df53d8f580bde954b9fc0433f9a3f981c5bc8e688db1b30b8f163ef9da639001a290f6d92f93370658adf503a2bffa98

Download Submit
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\en-US\is-K5I8E.tmp

Filesize
132KB

MD5
96969eb9afc4355dd342e251734a557d

SHA1
796f619070b3d7cad99fb943aaa51228496042f0

SHA256
9abf2b43b4f6aed60b3231b8dad8a7c5d5b219591b511fd529d6c0736c24bffe

SHA512
6bfb730442ea67a51f989e67913e48758fc672cf6c36f09b9928c285ab87982e8cacc18412855520070710b3175822fc1a7378f2548ebb071893dbd40a3b74c3

Download Submit
C:\Users\Admin\AppData\Local\GOG.com\Galaxy\Configuration\config.json

Filesize
2KB

MD5
b9458ee7df2e344cfb7ebca63abce667

SHA1
f14b31b480a196c1b072455a61ef4bd316c0deb9

SHA256
d78056318678cad58d996b46f016dc172e9fcc4eacee69ef4d5417cf115d98c7

SHA512
af03bf595e635cb0b99cf2a23a96de8e343779d797e00054974ab6c3d49421386c16db65a84f63548d76329c52b49ea7a555d6c3627700e90115c7cb2644ec28

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_gqFzK\GalaxyInstaller.exe

Filesize
120KB

MD5
d30d3a49fa8166b17dfdba3a9a153e92

SHA1
d97de62286b49e7fd25a8ef45d4808c7ebb320d4

SHA256
9e246ee6babdc3861578c36af8c652d4d4be1f3e83583472bcfdb3ea238eeec2

SHA512
466689b40679dd7c78d504bd440ad68e6656a8d4d88822f21c0deb513921ea0c578af63aeaf6c8b4f4edf989c36727575f3a69fd62f291d5bd5af3739733178b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_gqFzK\GalaxySetup.exe

Filesize
262.7MB

MD5
9bf2310d428ba023fec2ad87adef42d5

SHA1
4c94c0e7fb0ae4a0723f9265b97fc1225c2d69fb

SHA256
dec0d968446dfb35c39f272adc9d6b91aa79f68ed8a4934113f59b5c1a142abb

SHA512
418c16a05ce884d845090119bda65bf01f4dbd681dc3a538f6c27da8b251cf6344479ac6c69bd3e8fb6fe7dd4fa3b54deccd29701797d781b03ceb087c636366

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_gqFzK\GalaxySetup.exe

Filesize
262.7MB

MD5
9bf2310d428ba023fec2ad87adef42d5

SHA1
4c94c0e7fb0ae4a0723f9265b97fc1225c2d69fb

SHA256
dec0d968446dfb35c39f272adc9d6b91aa79f68ed8a4934113f59b5c1a142abb

SHA512
418c16a05ce884d845090119bda65bf01f4dbd681dc3a538f6c27da8b251cf6344479ac6c69bd3e8fb6fe7dd4fa3b54deccd29701797d781b03ceb087c636366

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_gqFzK\GalaxySetup.exe

Filesize
262.7MB

MD5
9bf2310d428ba023fec2ad87adef42d5

SHA1
4c94c0e7fb0ae4a0723f9265b97fc1225c2d69fb

SHA256
dec0d968446dfb35c39f272adc9d6b91aa79f68ed8a4934113f59b5c1a142abb

SHA512
418c16a05ce884d845090119bda65bf01f4dbd681dc3a538f6c27da8b251cf6344479ac6c69bd3e8fb6fe7dd4fa3b54deccd29701797d781b03ceb087c636366

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_gqFzK\icon.ico

Filesize
109KB

MD5
90ce8a437fcaf7c5af8b9e6f99a72247

SHA1
bd4b4d8a5ba983103fd5171061938a750a3bc22d

SHA256
cb78a6deee16650a3284322e2ed03a4528d2b2565683fc369b76355a4a0ef951

SHA512
8919ba6f57a95746710f8ddaa5ab1b5d27be0ac47504316ed84118896e03297fa0fefc5ccf091d94e97f6ab9666e9564831ae17bc47760df07ac702248a2f6d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_gqFzK\remoteconfig.json

Filesize
555B

MD5
51fe53e485f9767f8db9fcc2abf60d7e

SHA1
3255e1830c405b0df6057b89bd23583be55eed74

SHA256
d335bbe53c54b02d42a3ff4ea976bff6597fd70a2dfd53cc03f181ebab689fc4

SHA512
81f473f76d3941865bad44794c59644e33334ce487662e80fdc78959233f6abd7c2f359c9c61ac27ae8a4e8aeb59068ae9e817f7d0c2af016330e275b3b30e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_gqFzK\remoteconfig.json

Filesize
555B

MD5
51fe53e485f9767f8db9fcc2abf60d7e

SHA1
3255e1830c405b0df6057b89bd23583be55eed74

SHA256
d335bbe53c54b02d42a3ff4ea976bff6597fd70a2dfd53cc03f181ebab689fc4

SHA512
81f473f76d3941865bad44794c59644e33334ce487662e80fdc78959233f6abd7c2f359c9c61ac27ae8a4e8aeb59068ae9e817f7d0c2af016330e275b3b30e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C8PC3.tmp\GalaxySetup.tmp

Filesize
3.3MB

MD5
d4d2a2f5b5fff481cac8d7b11578fab5

SHA1
210d87bdcf3bb9860c513a856b0c395288111255

SHA256
92826c668ebc5ef58fbb1a57a1b88fef61c0070edbb0bae25bdef65091680571

SHA512
8b262ab93c6018fdb59c37eca0168b13507c349814d536b752b3227bb071f93fa1f80e1318187dce30d01be8514d253e7c6deb050f9d4a484dba20a7f5d8988e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C8PC3.tmp\GalaxySetup.tmp

Filesize
3.3MB

MD5
d4d2a2f5b5fff481cac8d7b11578fab5

SHA1
210d87bdcf3bb9860c513a856b0c395288111255

SHA256
92826c668ebc5ef58fbb1a57a1b88fef61c0070edbb0bae25bdef65091680571

SHA512
8b262ab93c6018fdb59c37eca0168b13507c349814d536b752b3227bb071f93fa1f80e1318187dce30d01be8514d253e7c6deb050f9d4a484dba20a7f5d8988e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GS228.tmp\VC_redist.x64.exe

Filesize
14.3MB

MD5
1e7bd6790391b5b710c6372ab2042351

SHA1
75f1aee6dccf3d6e6ac49926563737005b93ba13

SHA256
952a0c6cb4a3dd14c3666ef05bb1982c5ff7f87b7103c2ba896354f00651e358

SHA512
ae3860a060be483c9fcbcf6a41f561faf2cd681f39138dd13a563e3f39cf4b4f41e7c0f7b58bc8b585b2728245025be4b198f06634a97fa98847258272f9f59b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GS228.tmp\VC_redist.x64.exe

Filesize
14.3MB

MD5
1e7bd6790391b5b710c6372ab2042351

SHA1
75f1aee6dccf3d6e6ac49926563737005b93ba13

SHA256
952a0c6cb4a3dd14c3666ef05bb1982c5ff7f87b7103c2ba896354f00651e358

SHA512
ae3860a060be483c9fcbcf6a41f561faf2cd681f39138dd13a563e3f39cf4b4f41e7c0f7b58bc8b585b2728245025be4b198f06634a97fa98847258272f9f59b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GS228.tmp\VC_redist.x86.exe

Filesize
13.8MB

MD5
3aa2d769397da14166eacdb3640458ee

SHA1
b38b7fc28c5e2ef157f93297036202911d2fc2bf

SHA256
b4d433e2f66b30b478c0d080ccd5217ca2a963c16e90caf10b1e0592b7d8d519

SHA512
404d2301c4719b8791639e8100eff6df7cd9c3ca62ad0a5c7ac8252f8adc2601aeefe83da982a409b9e3d901f74518ff98d2af5ebdd8cc77067be39c20eb1c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GS228.tmp\VC_redist.x86.exe

Filesize
13.8MB

MD5
3aa2d769397da14166eacdb3640458ee

SHA1
b38b7fc28c5e2ef157f93297036202911d2fc2bf

SHA256
b4d433e2f66b30b478c0d080ccd5217ca2a963c16e90caf10b1e0592b7d8d519

SHA512
404d2301c4719b8791639e8100eff6df7cd9c3ca62ad0a5c7ac8252f8adc2601aeefe83da982a409b9e3d901f74518ff98d2af5ebdd8cc77067be39c20eb1c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GS228.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GS228.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GS228.tmp\botva2.dll

Filesize
32KB

MD5
295832fa6400cb3407cfe84b06785531

SHA1
7068910c2e0ea7f4535c770517e29d9c2d2ee77b

SHA256
13e372c4d843603096f33603915c3f25d0e0d4475001c33ce5263bfcd1760784

SHA512
50516f9761efd14641f65bd773cfdd50c4ab0de977e094ba9227796dc319d9330321c7914243fc7dc04b5716752395f8dac8ccdfdb98ba7e5f5c1172408ce57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GS228.tmp\botva2.dll

Filesize
32KB

MD5
295832fa6400cb3407cfe84b06785531

SHA1
7068910c2e0ea7f4535c770517e29d9c2d2ee77b

SHA256
13e372c4d843603096f33603915c3f25d0e0d4475001c33ce5263bfcd1760784

SHA512
50516f9761efd14641f65bd773cfdd50c4ab0de977e094ba9227796dc319d9330321c7914243fc7dc04b5716752395f8dac8ccdfdb98ba7e5f5c1172408ce57b

Download Submit
C:\Windows\Temp\{37ADA326-3CBB-4D50-A88A-5A245D4C7CD5}\.cr\VC_redist.x64.exe

Filesize
632KB

MD5
1d7599c4a31b82e70308c022e9494011

SHA1
7d04a03d5502df2838d40dd131b1cae226cb5205

SHA256
21d2935d29c807a3a56c406849b97dbc7f720822920930d0e2b13a44203c107c

SHA512
080ff020e0d2d9c0ce6beee8143c0f49e1b4450baa08072a8662f4b25ad6b034ee0ad174f2d4acd5b011cb8fb140656755007e245673f7677964b9e99555ab08

Download Submit
C:\Windows\Temp\{37ADA326-3CBB-4D50-A88A-5A245D4C7CD5}\.cr\VC_redist.x64.exe

Filesize
632KB

MD5
1d7599c4a31b82e70308c022e9494011

SHA1
7d04a03d5502df2838d40dd131b1cae226cb5205

SHA256
21d2935d29c807a3a56c406849b97dbc7f720822920930d0e2b13a44203c107c

SHA512
080ff020e0d2d9c0ce6beee8143c0f49e1b4450baa08072a8662f4b25ad6b034ee0ad174f2d4acd5b011cb8fb140656755007e245673f7677964b9e99555ab08

Download Submit
C:\Windows\Temp\{5748732B-39BE-4D2F-831C-0DEE0D3C1506}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{5748732B-39BE-4D2F-831C-0DEE0D3C1506}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{6E589B8D-2836-400A-91A4-4BF3BC0BA213}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{6E589B8D-2836-400A-91A4-4BF3BC0BA213}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{DC6E0A48-5AEE-4B79-AEBD-38E0E2527264}\.cr\VC_redist.x86.exe

Filesize
632KB

MD5
68f7654abfd77baade7a36e1d718ebc4

SHA1
eabba5cb899aee962f85b52e359c9f85d83771b6

SHA256
5b60b35079913ba1e00cddf762c1759650de8a3c2b76e373b996ced4843becdb

SHA512
b48c4ba6112e7ac1dae5846eb41812d265a72fc13966c8f8bdf7099fec88d27b414fe566905a6eea4e2f574c379fe87059018c8a365bed55a46eea9a42b38889

Download Submit
C:\Windows\Temp\{DC6E0A48-5AEE-4B79-AEBD-38E0E2527264}\.cr\VC_redist.x86.exe

Filesize
632KB

MD5
68f7654abfd77baade7a36e1d718ebc4

SHA1
eabba5cb899aee962f85b52e359c9f85d83771b6

SHA256
5b60b35079913ba1e00cddf762c1759650de8a3c2b76e373b996ced4843becdb

SHA512
b48c4ba6112e7ac1dae5846eb41812d265a72fc13966c8f8bdf7099fec88d27b414fe566905a6eea4e2f574c379fe87059018c8a365bed55a46eea9a42b38889

Download Submit
memory/620-2756-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/956-2767-0x0000000000E60000-0x0000000000E70000-memory.dmp

Filesize
64KB

Download
memory/1304-133-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1304-2758-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1304-163-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1644-146-0x000000001AEB0000-0x000000001AEC0000-memory.dmp

Filesize
64KB

Download
memory/1644-165-0x000000001AEB0000-0x000000001AEC0000-memory.dmp

Filesize
64KB

Download
memory/1644-164-0x000000001AEB0000-0x000000001AEC0000-memory.dmp

Filesize
64KB

Download
memory/1644-162-0x000000001AEB0000-0x000000001AEC0000-memory.dmp

Filesize
64KB

Download
memory/1644-158-0x000000001DAA0000-0x000000001DFC8000-memory.dmp

Filesize
5.2MB

Download
memory/1644-157-0x000000001D3A0000-0x000000001D562000-memory.dmp

Filesize
1.8MB

Download
memory/1644-145-0x0000000000360000-0x0000000000380000-memory.dmp

Filesize
128KB

Download
memory/1864-2735-0x0000000001370000-0x0000000001380000-memory.dmp

Filesize
64KB

Download
memory/3456-203-0x0000000000400000-0x0000000000765000-memory.dmp

Filesize
3.4MB

Download
memory/3456-2747-0x0000000000400000-0x0000000000765000-memory.dmp

Filesize
3.4MB

Download
memory/3456-2048-0x0000000000400000-0x0000000000765000-memory.dmp

Filesize
3.4MB

Download
memory/3456-215-0x0000000006AA0000-0x0000000006AAD000-memory.dmp

Filesize
52KB

Download
memory/3456-521-0x0000000000400000-0x0000000000765000-memory.dmp

Filesize
3.4MB

Download
memory/3456-2512-0x0000000000400000-0x0000000000765000-memory.dmp

Filesize
3.4MB

Download
memory/3456-2733-0x0000000000400000-0x0000000000765000-memory.dmp

Filesize
3.4MB

Download
memory/3456-538-0x0000000006AA0000-0x0000000006AAD000-memory.dmp

Filesize
52KB

Download
memory/3456-196-0x0000000000400000-0x0000000000765000-memory.dmp

Filesize
3.4MB

Download
memory/3456-898-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3456-200-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3456-199-0x0000000000400000-0x0000000000765000-memory.dmp

Filesize
3.4MB

Download
memory/3492-2784-0x0000000000EA0000-0x0000000000EB0000-memory.dmp

Filesize
64KB

Download
memory/3756-2732-0x0000000003A30000-0x0000000003A40000-memory.dmp

Filesize
64KB

Download
memory/3756-2742-0x0000000003A30000-0x0000000003A40000-memory.dmp

Filesize
64KB

Download
memory/4156-202-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/4156-187-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/4156-2748-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/4156-195-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/4156-190-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/4272-2759-0x00000000007C0000-0x00000000007D0000-memory.dmp

Filesize
64KB

Download
memory/4484-2727-0x0000000001AC0000-0x0000000001AD0000-memory.dmp

Filesize
64KB

Download
memory/4808-2514-0x0000000001AD0000-0x0000000001AE0000-memory.dmp

Filesize
64KB

Download