c5ffa67d268d7ff6730eefcb92da17234d3b48f495285522497827866eb8bb7c

Analysis

max time kernel
36s
max time network
130s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17/08/2023, 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GOG_Galaxy_2.0.exe
Size

960KB
MD5

4e310b3c8eb5fbf369859134863a5cdf
SHA1

4fed7e59415195fc0a2d1a88e8e80e65ed0a7127
SHA256

c5ffa67d268d7ff6730eefcb92da17234d3b48f495285522497827866eb8bb7c
SHA512

33f1a1c62d7d81e4ccad811f2dd90b064236dd2e5bce9e0f5f5d8b3d912c7738e716dfba0484b353a921d7d62e56a8f4b45eafc358c3579c96057c295b0d050b
SSDEEP

12288:T27p5j8DPeuUSFHqLV+JjY4UW61O4RAxDleFbWQCQTFgSYyAzB+Q/uLnK3:T27EDFHqLy826My+QiyGJyAV+muLK3

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1536	GalaxyInstaller.exe

Loads dropped DLL 4 IoCs

pid	Process
2220	GOG_Galaxy_2.0.exe
2220	GOG_Galaxy_2.0.exe
2220	GOG_Galaxy_2.0.exe
2220	GOG_Galaxy_2.0.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2220-53-0x0000000000400000-0x0000000000641000-memory.dmp	upx
behavioral1/memory/2220-148-0x0000000000400000-0x0000000000641000-memory.dmp	upx
behavioral1/memory/2220-403-0x0000000000400000-0x0000000000641000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	GOG_Galaxy_2.0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	GOG_Galaxy_2.0.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2580	chrome.exe
2580	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeDebugPrivilege	1536	GalaxyInstaller.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 1340	2580	chrome.exe	29
PID 2580 wrote to memory of 1340	2580	chrome.exe	29
PID 2580 wrote to memory of 1340	2580	chrome.exe	29
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2340	2580	chrome.exe	32
PID 2580 wrote to memory of 2444	2580	chrome.exe	34
PID 2580 wrote to memory of 2444	2580	chrome.exe	34
PID 2580 wrote to memory of 2444	2580	chrome.exe	34
PID 2580 wrote to memory of 2864	2580	chrome.exe	33
PID 2580 wrote to memory of 2864	2580	chrome.exe	33
PID 2580 wrote to memory of 2864	2580	chrome.exe	33
PID 2580 wrote to memory of 2864	2580	chrome.exe	33
PID 2580 wrote to memory of 2864	2580	chrome.exe	33
PID 2580 wrote to memory of 2864	2580	chrome.exe	33
PID 2580 wrote to memory of 2864	2580	chrome.exe	33
PID 2580 wrote to memory of 2864	2580	chrome.exe	33
PID 2580 wrote to memory of 2864	2580	chrome.exe	33
PID 2580 wrote to memory of 2864	2580	chrome.exe	33
PID 2580 wrote to memory of 2864	2580	chrome.exe	33
PID 2580 wrote to memory of 2864	2580	chrome.exe	33
PID 2580 wrote to memory of 2864	2580	chrome.exe	33
PID 2580 wrote to memory of 2864	2580	chrome.exe	33
PID 2580 wrote to memory of 2864	2580	chrome.exe	33
PID 2580 wrote to memory of 2864	2580	chrome.exe	33
PID 2580 wrote to memory of 2864	2580	chrome.exe	33
PID 2580 wrote to memory of 2864	2580	chrome.exe	33
PID 2580 wrote to memory of 2864	2580	chrome.exe	33

C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe
"C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
PID:2220
- C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_zzEAs\GalaxyInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_zzEAs\GalaxyInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6699758,0x7fef6699768,0x7fef6699778
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1300,i,5295797639556012060,3170138316453650083,131072 /prefetch:2
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1564 --field-trial-handle=1300,i,5295797639556012060,3170138316453650083,131072 /prefetch:8
  2⤵
  PID:2864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1300,i,5295797639556012060,3170138316453650083,131072 /prefetch:8
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2252 --field-trial-handle=1300,i,5295797639556012060,3170138316453650083,131072 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2264 --field-trial-handle=1300,i,5295797639556012060,3170138316453650083,131072 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1416 --field-trial-handle=1300,i,5295797639556012060,3170138316453650083,131072 /prefetch:2
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3252 --field-trial-handle=1300,i,5295797639556012060,3170138316453650083,131072 /prefetch:1
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3608 --field-trial-handle=1300,i,5295797639556012060,3170138316453650083,131072 /prefetch:8
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3464 --field-trial-handle=1300,i,5295797639556012060,3170138316453650083,131072 /prefetch:8
  2⤵
  PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3588 --field-trial-handle=1300,i,5295797639556012060,3170138316453650083,131072 /prefetch:1
  2⤵
  PID:848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2636 --field-trial-handle=1300,i,5295797639556012060,3170138316453650083,131072 /prefetch:8
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2476 --field-trial-handle=1300,i,5295797639556012060,3170138316453650083,131072 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2448 --field-trial-handle=1300,i,5295797639556012060,3170138316453650083,131072 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3792 --field-trial-handle=1300,i,5295797639556012060,3170138316453650083,131072 /prefetch:8
  2⤵
  PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2260 --field-trial-handle=1300,i,5295797639556012060,3170138316453650083,131072 /prefetch:8
  2⤵
  PID:324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3992 --field-trial-handle=1300,i,5295797639556012060,3170138316453650083,131072 /prefetch:1
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3484 --field-trial-handle=1300,i,5295797639556012060,3170138316453650083,131072 /prefetch:8
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3996 --field-trial-handle=1300,i,5295797639556012060,3170138316453650083,131072 /prefetch:1
  2⤵
  PID:2540

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2744

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GOG.com\Galaxy\logs\InstallerBootstrapper.log

Filesize
4KB

MD5
a770bc122ce29c1fe4922f5ec5d5b14a

SHA1
ffa78b831863811475e3693c4a156d9bc8c6ef67

SHA256
fb5548dd98ac1ce1a792e9891d578f431a791eea6b573335ae1170449c8f775b

SHA512
b5c4d946c70432be6275c797d378af5b7cd055538350a66b7dd22f22e06b65b455e55b2a999f3764554b518131248b2f2797812740b3e14115f47d1e3236e4f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024

Filesize
39KB

MD5
6a3bb9c5ba28ee73af6c1b53e281b0cf

SHA1
d96e403c99c1707f82ea29c2c1f134e792c64097

SHA256
2f5adfc38558162578ffe112229f10417fbc4b3df025d153d4e22a0c95177740

SHA512
6c4844f70969938339cb6716a834a79e1a8379459c87b983c2518b9cbb560cb2f101aff980f682989928523be6cdc99bde3bfd8137f9c54a58191b900b580fbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT~RFf774866.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1016B

MD5
a64d33786801f17e3c059b82674915e9

SHA1
2f7d966ed07edfaa4649a33fd81898695bb124fe

SHA256
7ce65e701328a3e333c8581b0e7c5762213cf878e874c9cba231f19cda03e3b4

SHA512
434b1749283132f2083e257de5e2b01a7338e1f3cf4b26976dbfae751b707f74fca934ea9a05cfe7ef91ae0bd86a1880a3c21c7cbaec1e867919f5ea0382f131

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1016B

MD5
d4419a94e95d9fa01c7dfab16d94694c

SHA1
256a5b09eac9bc4ac3efec62d59cdfd91bd1b905

SHA256
30a6e8f727846c7ad7ecc959cd3e238f1debcdd8c9ce7b72dee19d342a4b3626

SHA512
a30de95b61cc25cd56203526ed1d4c64c3adaca6a9d46936e35d9a602dd4a4f4fcb5547c35ec202b968bce43e3530b19d354b2c09f819531bb0182b0db35ddda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f004a355b0a2c8fb2d0393759705f7a7

SHA1
7b3c0db336e212d628efec3d31dc1f7997eeb3ee

SHA256
ce41bac5ae6411a1da0528c18175fedf4f0e458cf379c73c12fb298a570af163

SHA512
b1b82f1abfd481239ae41e6e258637268428e75c7a23afd2deb37736c45775539eeca6562d9a1bed3fe794bd196ad9393d5de808efc052dcc70ce7c4d7ce08e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a36aff3e3404eb54e3895dbc9992256b

SHA1
eff286368792f211d22ac7bc4651bc4ad6e2149f

SHA256
dcb2c2701846c1e471df925e499ad82061f07d965068b6c49009a1b3579d965e

SHA512
70a11ee1dd0312527ccacda5c06af1bce4fd51cf68d72acac6a17283b674f7a013db8c9f707f620e52da790f7af233604176040e2ddd001d1bce6f2948205cad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
c3168ec195afee4e9d4a42fc2cc3de85

SHA1
6cb987455e024cfc9b0b91c22b864b01f7ffc65f

SHA256
988286b9d3f87d1c3f1bacafbb0d0d8118ed3f46be232333918eb65d0f7657b7

SHA512
22a1434f9437707f359dcb8ba5281b3cac006438749b223e0c1b74870e6681f91a6100267e2325736e1f0779c3fd3adde0a2e296a94090152369e40c3d6ae98e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
305bbe5490fa0b0c1ad410d7a08baf55

SHA1
84b871596810c0c31f557155d7bd16b78c26bd4f

SHA256
4690f8be089e22aeaabdf5d9301a1a56d1634615fbd549a4b6b9066c31c2efd1

SHA512
d75bb2f850e318ff2faff614e883e535c83b6ded2fc218539689807f578342db6835097abaaa3e9262e421c330955ae493cf8b39e63178352a6fd88622749d00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
180KB

MD5
f686260a027e876c2629d92c94a4f08b

SHA1
85c2e6aaf553755dffa24aec1fd32623db57d7ba

SHA256
47b3a6f2d1686447e61387ddedca5fffeb6f749339b4d935e32058bb8c2b189e

SHA512
de08708fda9136175cb47ab92f470d2cdb93ce17163f77ebf3c7854f88145922baca9ad9e5280cd994f246155a5cc28989a17567b3a58960ca5cb22d8675007b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\aa9b9a9f-f03e-4bc1-9723-5464792d9abd.tmp

Filesize
180KB

MD5
9594ec2f6ddf4454273fffe1e145f21e

SHA1
aa7d67680b40a1c51780358a5b9ebd9237be8f35

SHA256
4e2fa44cf972ba186990a0cedfab93d2e69cf01bffdf4c50b4f9796d887cab79

SHA512
c8cba3dc09cbcd8ad582a8d508c07dbe6c6ec7ded1e9f0efa1928f3c8618416e2636551ec1da8bcd4f5b32b23e924be25c54a935157c716f6c2e7d608c67044f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_zzEAs\GalaxyInstaller.exe

Filesize
566KB

MD5
26d02cc778b804689bda1aafa9a76fb1

SHA1
5452c96593478f59471730366c682da19881051d

SHA256
61eadf4a0bb3710671f5b6f1db10c522a2d0a07177d3b79eb844d7f69d8f8635

SHA512
047ecfb6df19e39579dd2a7359fec312f4dcf2293e9e4f232a22acd37a3c22707ecbf53d6ed0fe44989b8a52502fd43f525e20b85b83f29223205ade6a7aee90

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_zzEAs\icon.ico

Filesize
480KB

MD5
391cf634b3ccf3971811be5ef016fe32

SHA1
8e3023466d02dfb8f2e1b48555b998532dc9a377

SHA256
de9a2072df66c11af8cc255788c4c572f7b45ba7ab19524ad2e01a23f55e9ca8

SHA512
c1594a33efcfac7c6e6935e76ed030855886453b6397ba53a63225efbeb513a1ccb39ea7d528cc43bb1e2b56fd0e02b306e0e65dc6896613c2b4ca6c4a165d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_zzEAs\payload.campaign

Filesize
69B

MD5
18079c706761781140d58080359630ff

SHA1
b414ce00c3b7bd52aa50a7e208e2c4111e65d75e

SHA256
d51c3f241a2bfdbabb48aef02098843cbd01b073cda789c3ee5035047314981a

SHA512
2d4b636938cc1a778723b23ca7bf5725d4da5ad5fff2beb30193c75bf97c46b1c24ce640324bce5f823bd4c2f554e3f92f71dc62124046d3efb000e391f967b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_zzEAs\remoteconfig.json

Filesize
561B

MD5
e5866239ab06c410a6e046ebe9200eca

SHA1
f0bc48bf2b5701ced7e5f2aa04d318004e5cb204

SHA256
9285a2de2cb204732357bdce1b44297764bb4fa1aab2a249cf2e5929fc43af16

SHA512
568dce28e8e832f3e96a9f36641a373404f2ccc42c6547cf0d8faa2cd3429c3e133783b5c65e1e04e3de4b37f3adce546568e741de1d459749991bb36e8a1fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_zzEAs\remoteconfig.json

Filesize
561B

MD5
e5866239ab06c410a6e046ebe9200eca

SHA1
f0bc48bf2b5701ced7e5f2aa04d318004e5cb204

SHA256
9285a2de2cb204732357bdce1b44297764bb4fa1aab2a249cf2e5929fc43af16

SHA512
568dce28e8e832f3e96a9f36641a373404f2ccc42c6547cf0d8faa2cd3429c3e133783b5c65e1e04e3de4b37f3adce546568e741de1d459749991bb36e8a1fbb

Download Submit
\Users\Admin\AppData\Local\Temp\GalaxyInstaller_zzEAs\GalaxyInstaller.exe

Filesize
566KB

MD5
26d02cc778b804689bda1aafa9a76fb1

SHA1
5452c96593478f59471730366c682da19881051d

SHA256
61eadf4a0bb3710671f5b6f1db10c522a2d0a07177d3b79eb844d7f69d8f8635

SHA512
047ecfb6df19e39579dd2a7359fec312f4dcf2293e9e4f232a22acd37a3c22707ecbf53d6ed0fe44989b8a52502fd43f525e20b85b83f29223205ade6a7aee90

Download Submit
\Users\Admin\AppData\Local\Temp\GalaxyInstaller_zzEAs\GalaxyInstaller.exe

Filesize
566KB

MD5
26d02cc778b804689bda1aafa9a76fb1

SHA1
5452c96593478f59471730366c682da19881051d

SHA256
61eadf4a0bb3710671f5b6f1db10c522a2d0a07177d3b79eb844d7f69d8f8635

SHA512
047ecfb6df19e39579dd2a7359fec312f4dcf2293e9e4f232a22acd37a3c22707ecbf53d6ed0fe44989b8a52502fd43f525e20b85b83f29223205ade6a7aee90

Download Submit
\Users\Admin\AppData\Local\Temp\GalaxyInstaller_zzEAs\GalaxyInstaller.exe

Filesize
566KB

MD5
26d02cc778b804689bda1aafa9a76fb1

SHA1
5452c96593478f59471730366c682da19881051d

SHA256
61eadf4a0bb3710671f5b6f1db10c522a2d0a07177d3b79eb844d7f69d8f8635

SHA512
047ecfb6df19e39579dd2a7359fec312f4dcf2293e9e4f232a22acd37a3c22707ecbf53d6ed0fe44989b8a52502fd43f525e20b85b83f29223205ade6a7aee90

Download Submit
\Users\Admin\AppData\Local\Temp\GalaxyInstaller_zzEAs\GalaxyInstaller.exe

Filesize
566KB

MD5
26d02cc778b804689bda1aafa9a76fb1

SHA1
5452c96593478f59471730366c682da19881051d

SHA256
61eadf4a0bb3710671f5b6f1db10c522a2d0a07177d3b79eb844d7f69d8f8635

SHA512
047ecfb6df19e39579dd2a7359fec312f4dcf2293e9e4f232a22acd37a3c22707ecbf53d6ed0fe44989b8a52502fd43f525e20b85b83f29223205ade6a7aee90

Download Submit
memory/1536-135-0x00000000001E0000-0x0000000000270000-memory.dmp

Filesize
576KB

Download
memory/1536-137-0x000000001B100000-0x000000001B180000-memory.dmp

Filesize
512KB

Download
memory/1536-136-0x000007FEF30F0000-0x000007FEF3ADC000-memory.dmp

Filesize
9.9MB

Download
memory/1536-230-0x000007FEF30F0000-0x000007FEF3ADC000-memory.dmp

Filesize
9.9MB

Download
memory/1536-291-0x000000001B100000-0x000000001B180000-memory.dmp

Filesize
512KB

Download
memory/1536-400-0x000007FEF30F0000-0x000007FEF3ADC000-memory.dmp

Filesize
9.9MB

Download
memory/1536-211-0x000000001B100000-0x000000001B180000-memory.dmp

Filesize
512KB

Download
memory/1536-233-0x000000001B100000-0x000000001B180000-memory.dmp

Filesize
512KB

Download
memory/2220-403-0x0000000000400000-0x0000000000641000-memory.dmp

Filesize
2.3MB

Download
memory/2220-148-0x0000000000400000-0x0000000000641000-memory.dmp

Filesize
2.3MB

Download
memory/2220-53-0x0000000000400000-0x0000000000641000-memory.dmp

Filesize
2.3MB

Download