35d28d41f6ae7bee08889ae3f470af4f94eaf52fa55ab3c1661ae9419947d8c1

Analysis

max time kernel
127s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GOG_Galaxy_2.0.exe
Size

960KB
MD5

073c6e12924e8ed40908ebd8f50269f6
SHA1

55531db348c074a2bea5a78ac79f0193e5281a35
SHA256

35d28d41f6ae7bee08889ae3f470af4f94eaf52fa55ab3c1661ae9419947d8c1
SHA512

c5dba4fe0f655f961a4198b6eeb96face546585a1b78210149a952bbbe9793fa8db9efefd522681200dd693c5e9fa81ddbdf0bcf0e525a82ad10fd72ba741686
SSDEEP

12288:T27p5j8DPeuUSFHqLV+JjY4UW61O4RAxDleFbWQCQTFgSYyAzB+Q/uLnK3:T27EDFHqLy826My+QiyGJyAV+muLK3

Score

8^/10

discovery evasion persistence trojan upx

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	GOG_Galaxy_2.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	GalaxyInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	GalaxySetup.tmp

Executes dropped EXE 16 IoCs

pid	Process
3516	GalaxyInstaller.exe
4588	GalaxySetup.exe
1548	GalaxySetup.tmp
2276	VC_redist.x86.exe
2536	VC_redist.x86.exe
1656	VC_redist.x64.exe
4292	VC_redist.x64.exe
3276	GalaxyClient.exe
216	GalaxyClientService.exe
1984	GalaxyClient.exe
2184	GalaxyClientService.exe
316	GalaxyClient.exe
628	GalaxyClientService.exe
3332	GalaxyClient Helper.exe
4144	GalaxyClient Helper.exe
1088	GalaxyClient Helper.exe

Loads dropped DLL 64 IoCs

pid	Process
1548	GalaxySetup.tmp
1548	GalaxySetup.tmp
2536	VC_redist.x86.exe
4292	VC_redist.x64.exe
3276	GalaxyClient.exe
3276	GalaxyClient.exe
3276	GalaxyClient.exe
3276	GalaxyClient.exe
3276	GalaxyClient.exe
3276	GalaxyClient.exe
3276	GalaxyClient.exe
3276	GalaxyClient.exe
3276	GalaxyClient.exe
3276	GalaxyClient.exe
3276	GalaxyClient.exe
3276	GalaxyClient.exe
3276	GalaxyClient.exe
3276	GalaxyClient.exe
3276	GalaxyClient.exe
3276	GalaxyClient.exe
3276	GalaxyClient.exe
3276	GalaxyClient.exe
3276	GalaxyClient.exe
216	GalaxyClientService.exe
216	GalaxyClientService.exe
216	GalaxyClientService.exe
216	GalaxyClientService.exe
216	GalaxyClientService.exe
216	GalaxyClientService.exe
216	GalaxyClientService.exe
216	GalaxyClientService.exe
216	GalaxyClientService.exe
216	GalaxyClientService.exe
216	GalaxyClientService.exe
216	GalaxyClientService.exe
216	GalaxyClientService.exe
216	GalaxyClientService.exe
3276	GalaxyClient.exe
1984	GalaxyClient.exe
1984	GalaxyClient.exe
1984	GalaxyClient.exe
1984	GalaxyClient.exe
1984	GalaxyClient.exe
1984	GalaxyClient.exe
1984	GalaxyClient.exe
1984	GalaxyClient.exe
1984	GalaxyClient.exe
1984	GalaxyClient.exe
1984	GalaxyClient.exe
1984	GalaxyClient.exe
1984	GalaxyClient.exe
1984	GalaxyClient.exe
1984	GalaxyClient.exe
1984	GalaxyClient.exe
1984	GalaxyClient.exe
1984	GalaxyClient.exe
1984	GalaxyClient.exe
2184	GalaxyClientService.exe
2184	GalaxyClientService.exe
2184	GalaxyClientService.exe
2184	GalaxyClientService.exe
2184	GalaxyClientService.exe
2184	GalaxyClientService.exe
2184	GalaxyClientService.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4732-0-0x0000000000400000-0x0000000000641000-memory.dmp	upx
behavioral2/memory/4732-34-0x0000000000400000-0x0000000000641000-memory.dmp	upx
behavioral2/memory/4732-2627-0x0000000000400000-0x0000000000641000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GalaxyClient	GalaxySetup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GogGalaxy = "C:\\Program Files (x86)\\GOG Galaxy\\GalaxyClient.exe /launchViaAutoStart"	GalaxyClient.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GalaxyClient.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GalaxyClient.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GalaxyClient.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\chardet\is-8SSML.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\images\gameImgPlaceholders\is-GO5C5.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\chardet\is-CND4N.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\is-A8K3S.tmp	GalaxySetup.tmp
File opened for modification	C:\Program Files (x86)\GOG Galaxy\quazip.dll	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\is-H5RUR.tmp	GalaxySetup.tmp
File opened for modification	C:\Program Files (x86)\GOG Galaxy\symbols\DLL\wkernel32.pdb	GalaxyClient.exe
File created	C:\Program Files (x86)\GOG Galaxy\web\src\fonts\is-IHMVT.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\attr\is-378BP.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\multidict\is-QI9J7.tmp	GalaxySetup.tmp
File opened for modification	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\bin\chardetect.exe	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\idna\is-OD3NB.tmp	GalaxySetup.tmp
File opened for modification	C:\Program Files (x86)\GOG Galaxy\xdelta3.dll	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\idna\is-BR1TO.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\locales\fr-FR\is-5U98B.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\locales\ja-JP\is-07PJJ.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\aiohttp\is-AKSQI.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\galaxy\is-9HP86.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\galaxy\api\is-S3HNF.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\is-US2JE.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\locales\en-US\is-PULPV.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\idna\is-09OA0.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\locales\is-BD2C6.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\python\is-B1TSQ.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\chardet\is-9F5Q3.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\images\is-SJU97.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\attr\is-I454G.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\is-UQEVM.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\.hash\is-6OJ9J.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\is-4FG23.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\is-ITA15.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\aiohttp\is-LTE2T.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\chardet\is-LV385.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\chardet\is-RCOHO.tmp	GalaxySetup.tmp
File opened for modification	C:\Program Files (x86)\GOG Galaxy\swiftshader\libGLESv2.dll	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\images\cp2077\is-NB2U4.tmp	GalaxySetup.tmp
File opened for modification	C:\Program Files (x86)\GOG Galaxy\PocoXml.dll	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\attr\is-P5EQ0.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\locales\it-IT\is-0FJKK.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\attr\is-RJBML.tmp	GalaxySetup.tmp
File opened for modification	C:\Program Files (x86)\GOG Galaxy\GalaxyClient.pdb	GalaxyClient.exe
File created	C:\Program Files (x86)\GOG Galaxy\web\is-EUI5G.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\images\gameImgPlaceholders\is-6TDAS.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\chardet\cli\is-RKSH4.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\src\images\circleIcon\is-HH19D.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\is-4VUB0.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\.hash\is-N7F7N.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\galaxy\api\is-5IQDV.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\idna\is-0M4H7.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\is-CTJII.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\images\gameImgPlaceholders\is-60BDP.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginXbox\dateutil\is-8GR75.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\images\cp2077\is-B08FG.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\is-B6992.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\is-40OG8.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\psutil\tests\is-DTG54.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\is-IPG72.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\is-VN2HV.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\angularLocales\is-GM6OB.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\images\cp2077\is-CJRBO.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\is-EJG0Q.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\licences\Apache\is-4NG9U.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\locales\pt-BR\is-P5MJA.tmp	GalaxySetup.tmp
File created	C:\Program Files (x86)\GOG Galaxy\web\locales\es-ES\is-AKPO8.tmp	GalaxySetup.tmp

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\is-5KRS9.tmp	GalaxySetup.tmp
File created	C:\Windows\Fonts\is-TD8MH.tmp	GalaxySetup.tmp
File created	C:\Windows\Fonts\is-KCA72.tmp	GalaxySetup.tmp
File created	C:\Windows\Fonts\is-AM0RU.tmp	GalaxySetup.tmp
File created	C:\Windows\Fonts\is-0P5FI.tmp	GalaxySetup.tmp
File created	C:\Windows\Fonts\is-2P5A1.tmp	GalaxySetup.tmp
File created	C:\Windows\Fonts\is-JAO7H.tmp	GalaxySetup.tmp
File created	C:\Windows\Fonts\is-7S1PD.tmp	GalaxySetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\goggalaxy\shell\open\command	GalaxyClient.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\goggalaxy\shell	GalaxyClient.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\goggalaxy\shell\open	GalaxyClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\goggalaxy\shell\open\command\ = "\"C:\\Program Files (x86)\\GOG Galaxy\\GalaxyClient.exe\" /urlProtocol=\"%1\""	GalaxyClient.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3419463127-3903270268-2580331543-1000\{726BC106-AE5C-4BF5-8E7A-C01DF0584673}	GalaxyClient Helper.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\goggalaxy	GalaxyClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\goggalaxy\URL Protocol	GalaxyClient.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	GalaxyClient.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	GalaxyClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c1400000001000000140000006837e0ebb63bf85f1186fbfe617b088865f44e42040000000100000010000000d91299e84355cd8d5a86795a0118b6e90f000000010000003000000065b1d4076a89ae273f57e6eeedecb3eae129b4168f76fa7671914cdf461d542255c59d9b85b916ae0ca6fc0fcf7a8e64190000000100000010000000a344f71a7a52a76ee49b74b1d8816b155c000000010000000400000000100000180000000100000010000000ffac207997bb2cfe865570179ee037b94b0000000100000044000000430038004500350033003400450045003100320039004600320037004400350035003400360030004300450031003700460044003600320038003200310036005f0000002000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	GalaxyClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	GalaxyClient.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	GalaxyClient.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1548	GalaxySetup.tmp
1548	GalaxySetup.tmp
3276	GalaxyClient.exe
3276	GalaxyClient.exe
3276	GalaxyClient.exe
3276	GalaxyClient.exe
216	GalaxyClientService.exe
216	GalaxyClientService.exe
216	GalaxyClientService.exe
216	GalaxyClientService.exe
216	GalaxyClientService.exe
216	GalaxyClientService.exe
216	GalaxyClientService.exe
216	GalaxyClientService.exe
1984	GalaxyClient.exe
1984	GalaxyClient.exe
2184	GalaxyClientService.exe
2184	GalaxyClientService.exe
316	GalaxyClient.exe
316	GalaxyClient.exe
628	GalaxyClientService.exe
628	GalaxyClientService.exe
3332	GalaxyClient Helper.exe
3332	GalaxyClient Helper.exe
3332	GalaxyClient Helper.exe
3332	GalaxyClient Helper.exe
3332	GalaxyClient Helper.exe
3332	GalaxyClient Helper.exe
3332	GalaxyClient Helper.exe
3332	GalaxyClient Helper.exe
4144	GalaxyClient Helper.exe
4144	GalaxyClient Helper.exe
4144	GalaxyClient Helper.exe
4144	GalaxyClient Helper.exe
4144	GalaxyClient Helper.exe
4144	GalaxyClient Helper.exe
4144	GalaxyClient Helper.exe
4144	GalaxyClient Helper.exe
4144	GalaxyClient Helper.exe
4144	GalaxyClient Helper.exe
316	GalaxyClient.exe
316	GalaxyClient.exe
3332	GalaxyClient Helper.exe
3332	GalaxyClient Helper.exe
3332	GalaxyClient Helper.exe
3332	GalaxyClient Helper.exe
4144	GalaxyClient Helper.exe
4144	GalaxyClient Helper.exe
4144	GalaxyClient Helper.exe
4144	GalaxyClient Helper.exe
3332	GalaxyClient Helper.exe
3332	GalaxyClient Helper.exe
3332	GalaxyClient Helper.exe
3332	GalaxyClient Helper.exe
4144	GalaxyClient Helper.exe
4144	GalaxyClient Helper.exe
4144	GalaxyClient Helper.exe
4144	GalaxyClient Helper.exe
3332	GalaxyClient Helper.exe
3332	GalaxyClient Helper.exe
3332	GalaxyClient Helper.exe
3332	GalaxyClient Helper.exe
4144	GalaxyClient Helper.exe
4144	GalaxyClient Helper.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	3516	GalaxyInstaller.exe
Token: SeTakeOwnershipPrivilege	3276	GalaxyClient.exe
Token: SeRestorePrivilege	3276	GalaxyClient.exe
Token: SeTakeOwnershipPrivilege	3276	GalaxyClient.exe
Token: SeRestorePrivilege	3276	GalaxyClient.exe
Token: SeTakeOwnershipPrivilege	216	GalaxyClientService.exe
Token: SeRestorePrivilege	216	GalaxyClientService.exe
Token: SeTakeOwnershipPrivilege	216	GalaxyClientService.exe
Token: SeRestorePrivilege	216	GalaxyClientService.exe
Token: SeTakeOwnershipPrivilege	216	GalaxyClientService.exe
Token: SeRestorePrivilege	216	GalaxyClientService.exe
Token: SeTakeOwnershipPrivilege	216	GalaxyClientService.exe
Token: SeRestorePrivilege	216	GalaxyClientService.exe
Token: SeTakeOwnershipPrivilege	216	GalaxyClientService.exe
Token: SeRestorePrivilege	216	GalaxyClientService.exe
Token: SeTakeOwnershipPrivilege	216	GalaxyClientService.exe
Token: SeRestorePrivilege	216	GalaxyClientService.exe
Token: SeTakeOwnershipPrivilege	216	GalaxyClientService.exe
Token: SeRestorePrivilege	216	GalaxyClientService.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1548	GalaxySetup.tmp
316	GalaxyClient.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3276	GalaxyClient.exe
216	GalaxyClientService.exe
3276	GalaxyClient.exe
3276	GalaxyClient.exe
1984	GalaxyClient.exe
2184	GalaxyClientService.exe
316	GalaxyClient.exe
628	GalaxyClientService.exe
316	GalaxyClient.exe
316	GalaxyClient.exe
316	GalaxyClient.exe
316	GalaxyClient.exe
316	GalaxyClient.exe
316	GalaxyClient.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 3516	4732	GOG_Galaxy_2.0.exe	86
PID 4732 wrote to memory of 3516	4732	GOG_Galaxy_2.0.exe	86
PID 3516 wrote to memory of 4588	3516	GalaxyInstaller.exe	91
PID 3516 wrote to memory of 4588	3516	GalaxyInstaller.exe	91
PID 3516 wrote to memory of 4588	3516	GalaxyInstaller.exe	91
PID 4588 wrote to memory of 1548	4588	GalaxySetup.exe	92
PID 4588 wrote to memory of 1548	4588	GalaxySetup.exe	92
PID 4588 wrote to memory of 1548	4588	GalaxySetup.exe	92
PID 1548 wrote to memory of 2276	1548	GalaxySetup.tmp	95
PID 1548 wrote to memory of 2276	1548	GalaxySetup.tmp	95
PID 1548 wrote to memory of 2276	1548	GalaxySetup.tmp	95
PID 2276 wrote to memory of 2536	2276	VC_redist.x86.exe	96
PID 2276 wrote to memory of 2536	2276	VC_redist.x86.exe	96
PID 2276 wrote to memory of 2536	2276	VC_redist.x86.exe	96
PID 1548 wrote to memory of 1656	1548	GalaxySetup.tmp	97
PID 1548 wrote to memory of 1656	1548	GalaxySetup.tmp	97
PID 1548 wrote to memory of 1656	1548	GalaxySetup.tmp	97
PID 1656 wrote to memory of 4292	1656	VC_redist.x64.exe	98
PID 1656 wrote to memory of 4292	1656	VC_redist.x64.exe	98
PID 1656 wrote to memory of 4292	1656	VC_redist.x64.exe	98
PID 1548 wrote to memory of 3276	1548	GalaxySetup.tmp	99
PID 1548 wrote to memory of 3276	1548	GalaxySetup.tmp	99
PID 1548 wrote to memory of 3276	1548	GalaxySetup.tmp	99
PID 1548 wrote to memory of 1984	1548	GalaxySetup.tmp	102
PID 1548 wrote to memory of 1984	1548	GalaxySetup.tmp	102
PID 1548 wrote to memory of 1984	1548	GalaxySetup.tmp	102
PID 1548 wrote to memory of 316	1548	GalaxySetup.tmp	104
PID 1548 wrote to memory of 316	1548	GalaxySetup.tmp	104
PID 1548 wrote to memory of 316	1548	GalaxySetup.tmp	104
PID 316 wrote to memory of 3332	316	GalaxyClient.exe	107
PID 316 wrote to memory of 3332	316	GalaxyClient.exe	107
PID 316 wrote to memory of 3332	316	GalaxyClient.exe	107
PID 316 wrote to memory of 4144	316	GalaxyClient.exe	108
PID 316 wrote to memory of 4144	316	GalaxyClient.exe	108
PID 316 wrote to memory of 4144	316	GalaxyClient.exe	108
PID 316 wrote to memory of 1088	316	GalaxyClient.exe	109
PID 316 wrote to memory of 1088	316	GalaxyClient.exe	109
PID 316 wrote to memory of 1088	316	GalaxyClient.exe	109

C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe
"C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_xZcUX\GalaxyInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_xZcUX\GalaxyInstaller.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_xZcUX\GalaxySetup.exe
    "C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_xZcUX\GalaxySetup.exe" /lang=en_US /campaign="eyJjYW1wYWlnbiI6eyJvcmlnaW4iOiJodHRwOi8vZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QvZW4vP2VtYmVkZGFibGU9dHJ1ZSIsIm9yaWdpbl91c2VyX2FnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEyNi4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidW5pcXVlX2lkIjoiMTcyMTAwMTYzMy1EdFFKUkhTSVFqUEc2QTNIYlhsMDVBPT0ifSwibG9naW5fcGFyYW1ldGVycyI6Im9yaWdpbj1odHRwJTNBJTJGJTJGZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QlMkZlbiUyRiUzRmVtYmVkZGFibGUlM0R0cnVlJm9yaWdpbl91c2VyX2FnZW50PU1vemlsbGElMkY1LjArJTI4V2luZG93cytOVCsxMC4wJTNCK1dpbjY0JTNCK3g2NCUyOStBcHBsZVdlYktpdCUyRjUzNy4zNislMjhLSFRNTCUyQytsaWtlK0dlY2tvJTI5K0Nocm9tZSUyRjEyNi4wLjAuMCtTYWZhcmklMkY1MzcuMzYmdW5pcXVlX2lkPTE3MjEwMDE2MzMtRHRRSlJIU0lRalBHNkEzSGJYbDA1QSUzRCUzRCJ9"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4588
  - - C:\Users\Admin\AppData\Local\Temp\is-3LCG4.tmp\GalaxySetup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-3LCG4.tmp\GalaxySetup.tmp" /SL5="$80060,273144529,1268224,C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_xZcUX\GalaxySetup.exe" /lang=en_US /campaign="eyJjYW1wYWlnbiI6eyJvcmlnaW4iOiJodHRwOi8vZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QvZW4vP2VtYmVkZGFibGU9dHJ1ZSIsIm9yaWdpbl91c2VyX2FnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEyNi4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidW5pcXVlX2lkIjoiMTcyMTAwMTYzMy1EdFFKUkhTSVFqUEc2QTNIYlhsMDVBPT0ifSwibG9naW5fcGFyYW1ldGVycyI6Im9yaWdpbj1odHRwJTNBJTJGJTJGZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QlMkZlbiUyRiUzRmVtYmVkZGFibGUlM0R0cnVlJm9yaWdpbl91c2VyX2FnZW50PU1vemlsbGElMkY1LjArJTI4V2luZG93cytOVCsxMC4wJTNCK1dpbjY0JTNCK3g2NCUyOStBcHBsZVdlYktpdCUyRjUzNy4zNislMjhLSFRNTCUyQytsaWtlK0dlY2tvJTI5K0Nocm9tZSUyRjEyNi4wLjAuMCtTYWZhcmklMkY1MzcuMzYmdW5pcXVlX2lkPTE3MjEwMDE2MzMtRHRRSlJIU0lRalBHNkEzSGJYbDA1QSUzRCUzRCJ9"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1548
    - - C:\Users\Admin\AppData\Local\Temp\is-OMUOO.tmp\VC_redist.x86.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-OMUOO.tmp\VC_redist.x86.exe" /install /quiet /norestart
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2276
      - C:\Windows\Temp\{ACBB58C6-23D1-4791-BBFF-37BA16B735E0}\.cr\VC_redist.x86.exe
        
        "C:\Windows\Temp\{ACBB58C6-23D1-4791-BBFF-37BA16B735E0}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-OMUOO.tmp\VC_redist.x86.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /install /quiet /norestart
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2536
    - - C:\Users\Admin\AppData\Local\Temp\is-OMUOO.tmp\VC_redist.x64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-OMUOO.tmp\VC_redist.x64.exe" /install /quiet /norestart
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Windows\Temp\{01FABDE2-65D9-4508-A278-E27E59F0D7D2}\.cr\VC_redist.x64.exe
        
        "C:\Windows\Temp\{01FABDE2-65D9-4508-A278-E27E59F0D7D2}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-OMUOO.tmp\VC_redist.x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=648 /install /quiet /norestart
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4292
    - - C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe
        
        "C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe" /firstRun /installationSource=usedefault /payload=eyJjYW1wYWlnbiI6eyJvcmlnaW4iOiJodHRwOi8vZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QvZW4vP2VtYmVkZGFibGU9dHJ1ZSIsIm9yaWdpbl91c2VyX2FnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEyNi4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidW5pcXVlX2lkIjoiMTcyMTAwMTYzMy1EdFFKUkhTSVFqUEc2QTNIYlhsMDVBPT0ifSwibG9naW5fcGFyYW1ldGVycyI6Im9yaWdpbj1odHRwJTNBJTJGJTJGZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QlMkZlbiUyRiUzRmVtYmVkZGFibGUlM0R0cnVlJm9yaWdpbl91c2VyX2FnZW50PU1vemlsbGElMkY1LjArJTI4V2luZG93cytOVCsxMC4wJTNCK1dpbjY0JTNCK3g2NCUyOStBcHBsZVdlYktpdCUyRjUzNy4zNislMjhLSFRNTCUyQytsaWtlK0dlY2tvJTI5K0Nocm9tZSUyRjEyNi4wLjAuMCtTYWZhcmklMkY1MzcuMzYmdW5pcXVlX2lkPTE3MjEwMDE2MzMtRHRRSlJIU0lRalBHNkEzSGJYbDA1QSUzRCUzRCJ9
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3276
    - - C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe
        
        "C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe" /clientLanguage=en-US
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1984
    - - C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe
        
        "C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe" /installerLaunch /payload=eyJjYW1wYWlnbiI6eyJvcmlnaW4iOiJodHRwOi8vZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QvZW4vP2VtYmVkZGFibGU9dHJ1ZSIsIm9yaWdpbl91c2VyX2FnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEyNi4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidW5pcXVlX2lkIjoiMTcyMTAwMTYzMy1EdFFKUkhTSVFqUEc2QTNIYlhsMDVBPT0ifSwibG9naW5fcGFyYW1ldGVycyI6Im9yaWdpbj1odHRwJTNBJTJGJTJGZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QlMkZlbiUyRiUzRmVtYmVkZGFibGUlM0R0cnVlJm9yaWdpbl91c2VyX2FnZW50PU1vemlsbGElMkY1LjArJTI4V2luZG93cytOVCsxMC4wJTNCK1dpbjY0JTNCK3g2NCUyOStBcHBsZVdlYktpdCUyRjUzNy4zNislMjhLSFRNTCUyQytsaWtlK0dlY2tvJTI5K0Nocm9tZSUyRjEyNi4wLjAuMCtTYWZhcmklMkY1MzcuMzYmdW5pcXVlX2lkPTE3MjEwMDE2MzMtRHRRSlJIU0lRalBHNkEzSGJYbDA1QSUzRCUzRCJ9
        5⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:316
      - C:\Program Files (x86)\GOG Galaxy\GalaxyClient Helper.exe
        
        "C:\Program Files (x86)\GOG Galaxy\GalaxyClient Helper.exe" --type=gpu-process --field-trial-handle=3576,6399331852599183236,12766683365366094322,131072 --disable-features=NetworkService --no-sandbox --log-file="C:\ProgramData\GOG.com\Galaxy\logs\cef.log" --log-severity=info --user-agent="GOGGalaxyClient/2.0.74.352 (GOG Galaxy) 83b6745cff679691b69876bc7ee33e05e5d90bda (win10 x64)" --lang=en-US --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --log-file="C:\ProgramData\GOG.com\Galaxy\logs\cef.log" --service-request-channel-token=13228192529590573529 --mojo-platform-channel-handle=3580 /prefetch:2
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3332
      - C:\Program Files (x86)\GOG Galaxy\GalaxyClient Helper.exe
        
        "C:\Program Files (x86)\GOG Galaxy\GalaxyClient Helper.exe" --type=renderer --no-sandbox --autoplay-policy=no-user-gesture-required --disable-threaded-scrolling --js-flags=--expose-gc --log-file="C:\ProgramData\GOG.com\Galaxy\logs\cef.log" --field-trial-handle=3576,6399331852599183236,12766683365366094322,131072 --disable-features=NetworkService --enable-blink-features=CSSBackdropFilter,AsyncClipboard --lang=en-US --log-file="C:\ProgramData\GOG.com\Galaxy\logs\cef.log" --log-severity=info --user-agent="GOGGalaxyClient/2.0.74.352 (GOG Galaxy) 83b6745cff679691b69876bc7ee33e05e5d90bda (win10 x64)" --disable-pdf-extension --disable-spell-checking --uncaught-exception-stack-size=999 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --service-request-channel-token=13684168017683125576 --renderer-client-id=3 --mojo-platform-channel-handle=4356 /prefetch:1
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4144
      - C:\Program Files (x86)\GOG Galaxy\GalaxyClient Helper.exe
        
        "C:\Program Files (x86)\GOG Galaxy\GalaxyClient Helper.exe" --type=gpu-process --field-trial-handle=3576,6399331852599183236,12766683365366094322,131072 --disable-features=NetworkService --disable-gpu-sandbox --use-gl=disabled --no-sandbox --log-file="C:\ProgramData\GOG.com\Galaxy\logs\cef.log" --log-severity=info --user-agent="GOGGalaxyClient/2.0.74.352 (GOG Galaxy) 83b6745cff679691b69876bc7ee33e05e5d90bda (win10 x64)" --lang=en-US --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --log-file="C:\ProgramData\GOG.com\Galaxy\logs\cef.log" --service-request-channel-token=12969410558164474444 --mojo-platform-channel-handle=2368 /prefetch:2
        6⤵
        Executes dropped EXE
        
        PID:1088

C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe
"C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:216

C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe
"C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2184

C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe
"C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe

Filesize
13.3MB

MD5
16bdc3ec70e6266438a673dd37197446

SHA1
963fb9a1c5f91cb7460225074a27fa590bdf925e

SHA256
6d85e3478854ec9a8690e61a178e2638b210506222eb6cd9b1e8e22a3a711c90

SHA512
018d9c4eeaed14699207377ee32d62bc95e8cab3656f01c1143c392fbac8402419c2d0d30a230a4dc27e7ec7b511b0821a36f84410380358124a159fe984b94a

Download Submit
C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe

Filesize
2.2MB

MD5
f11aa32e673a5fe205804fc8f27dd15d

SHA1
2f3e7bf477a8ee79ff8b67bbbe85079c4a00dfc9

SHA256
08700a4c80042ea8690d2623fde9e808f913b2a201307802f3a893b892ef70df

SHA512
b3e66a53b05b3e8ca1aa01905b0f24a2e98933bab9ae507eb5b8a4d475ee25c683d8d9df1c1d484500bec78ef915715e463ecb849304bd0d5ba90ad3693e9660

Download Submit
C:\Program Files (x86)\GOG Galaxy\PocoData.dll

Filesize
1.7MB

MD5
7818a804fa9fd0f9a09263b6b35325fc

SHA1
590971157aa72d48f7939556a7554bc9d8975cd5

SHA256
f2fd84a60790d043b531ec8eef9ad2cc961270e5f34096db1331388f1fa80416

SHA512
63a9821c2a23f2f91ef1893e69a902065596e138850b825df8fb54ceed5ff551cde623049521a78821dce48720a8ae2ed53a8927ae0f404a905a24243fece561

Download Submit
C:\Program Files (x86)\GOG Galaxy\PocoDataSQLite.dll

Filesize
372KB

MD5
dd7065f6e3bd80c6e7e6419e2475c8a8

SHA1
f01ce83abf97c075fdad042cf6e3f994110ceb78

SHA256
0c1b8043c56a29366da4e7065060201b9f82beba9d1c3c6c393f1a04dc2b136c

SHA512
00656505b68db7bad3a78e283517fb1b2a21217245317334eb6457466564e04ef85a454adbbc97927430da6a6654a66bfaa756808e22dc394413b7bdf434a6c5

Download Submit
C:\Program Files (x86)\GOG Galaxy\PocoFoundation.dll

Filesize
1.7MB

MD5
3e72226a19d731e0d0baa1e9a2017dd7

SHA1
d1ea639b8a0532f9ce092861016f79d672dcef25

SHA256
97190cd46762d1947922ff330a406a2bc74c5bcd8e29b937be6ebddbfa3a43c8

SHA512
eedc3c54196c37c08d9c9651b378db8f431c76fce206801ae1f29f0fac8a3b37a076d8610070ff5ac1b90866517b09beaa447018155b53350d8fdabdca44f541

Download Submit
C:\Program Files (x86)\GOG Galaxy\PocoJSON.dll

Filesize
338KB

MD5
c645048dcbff4fd35d51a254c18dc131

SHA1
a3c9b97073d69318979a4d1bb66f02edc7ccdd88

SHA256
ea3fb61653067989f3c95126cb6b470057f3f281fda7152f0940af8677e87a53

SHA512
421f45e6f501aeca01ecfe876d0406404eacc13f4bdc8931e9ef46cf6487e3593394042c29169a6af0a8961f95aaa1ff06576da7b495e6fa039568d24723e6ca

Download Submit
C:\Program Files (x86)\GOG Galaxy\PocoNet.dll

Filesize
1.3MB

MD5
8fbf4845c06da70e17e40376244b97ba

SHA1
488bb2cfc96dbe103425b9657ddfd646aae4388c

SHA256
fef566ecb133f2d13d18980b8ad667ed202957be7d8716721e9da83f5bb1e04b

SHA512
c1eafd234fe4b5aad87759931edd9c0f8bd902f35b78bbec699b5a5d882011ad7c0a780b781518f4d98c7c880115e1aa57795d5fe138001a7184114d6880c5c1

Download Submit
C:\Program Files (x86)\GOG Galaxy\PocoUtil.dll

Filesize
526KB

MD5
9cb7c18b68e61c0eac049a3d7d0b970c

SHA1
83f17545fc35c2e1a0b627236309d8c0933a67d3

SHA256
0d0a7c34d2b972fad2a1ec4df2ef604b55742b5e43f42d254851ad6bb5ffe609

SHA512
9bc86e1199540e5299e61d7b873d70d3668f1e281b9dff2fba555d45cab99e23263d49ce50a4d217e0dcf3e3090a5af0e9dd64b32aec14b5ef6edaaec6e29aa4

Download Submit
C:\Program Files (x86)\GOG Galaxy\PocoXml.dll

Filesize
539KB

MD5
ed29d945a6e4ab83974d783e5a910d20

SHA1
4a008b7dcd527fd2ad6b0e4211f431a983104605

SHA256
c12cc8c1f3202c19729538fd3b38b7627cdc122bdad7efdfd37bfac236d7839e

SHA512
8d6eb5ed8ac4b1f95f2f10d0241e130a60540a10b48bb7bb5ced23c6847d333e7818145cfeb93073b2370c216f627f0d7d0a0844e036e9b726a56a4a06409f2f

Download Submit
C:\Program Files (x86)\GOG Galaxy\PocoZip.dll

Filesize
287KB

MD5
fe8390a1579b4d0ac0f168bc59a70ae0

SHA1
927f98a0c58e96de4886bb5253b538627de9e823

SHA256
feb6006bd1fa6224313fc02d70c38da1c95827152452370c8aa2087e122b02ce

SHA512
d924a509933dcfe97b79ef4f715107c55f931058391f7a782cf496a84dfe42656e5f7a523dbbc7b21cf51cbea8aa02b43a5392e2b0e6a4f06a97d504eebb1f7d

Download Submit
C:\Program Files (x86)\GOG Galaxy\Qt5Core.dll

Filesize
5.1MB

MD5
ecd2fed8765416bf429f32f14cc5c747

SHA1
00f09763508c58be76a0ef0b348358a0802d4745

SHA256
e9087632fe379f46fc8d6b4f9dfe6b167640c914873ef033d4bfe9138614d7e8

SHA512
77d38303cb59cdcf68cc779d2c40fad0a327d0258802749aeb5b5b25647bc6c687e5b5a10ce8448dc7c6083267a3a86da747540b2eb15e03fd169478851a2057

Download Submit
C:\Program Files (x86)\GOG Galaxy\Qt5Gui.dll

Filesize
5.6MB

MD5
68c19f9f45a98734a6e42745a75ff2d3

SHA1
1f39560b10ab2bf6f3fab76a3be5f305b169fcaa

SHA256
1233ea25703cc1830f658f379bc3e2e4486ea08b9beb356b5d0e4e0a1d4a3329

SHA512
df7e50d8b17f415c9e2ae33851294370a72ab2368b4cf0cc6c5883740ddd7daa02ecd918440c21c5421bc149c0d611220aab4e51f3fd674b9adf167a79f95e41

Download Submit
C:\Program Files (x86)\GOG Galaxy\Qt5Network.dll

Filesize
1.0MB

MD5
9dcd0f88d822d9e8f5d72dc15f53fb71

SHA1
5e06d4ec06f720a06320bf660fe5f34a460af200

SHA256
99dd9ff6dda27004de1b43e01cf9d5e415c45fd9bfc05e6293ba87a8109e86c5

SHA512
cc39d393ff5f31827bb92a2c30736575b8464f9ccdc14493785d77bcc7cea8125ee9124b09465619cd9dc73e971a3f480c5ed4f64adf62133c3b86032d328b5a

Download Submit
C:\Program Files (x86)\GOG Galaxy\chrome_elf.dll

Filesize
703KB

MD5
884537665618e90e195912a01fc0b007

SHA1
0dfb2689ed2b37260392776a6aa4025b31c5025f

SHA256
98a132ff75b044ce9a666148cce3742214a8525f3c839f4c2a47356aeb93e652

SHA512
02eb60c9e42d1477aa5c27e0c38af1757b09738c2e287964fa5aa510547abf0cef6050f9ae64442250634a8fd21ad345c3fd3432466cecffad384805ed3d6461

Download Submit
C:\Program Files (x86)\GOG Galaxy\libcrypto-1_1.dll

Filesize
2.4MB

MD5
e863188d86f3291d101d3165a57f42c1

SHA1
d22b38ef7fb33203506a997114ec1bbf54df8a35

SHA256
ef31c88b93350311ec3b55d8a6a1279bf919196ae268254a51e698a049045321

SHA512
18d84e4ab9012d20b041cb4409486c41267e141196c4bc249bb7b1f3b5ca6c4641f4664a510c81d2f4ffcaac3af149035f2ec1699ffbe61a15ab7b7d651d39e5

Download Submit
C:\Program Files (x86)\GOG Galaxy\libexpat.dll

Filesize
173KB

MD5
657d32eec34d3225b38262a5878e9474

SHA1
22daaca36c1d49bdb8b2851f40596d4cd025dcb0

SHA256
ec4f39fe48a83d113191402d33420728f571df81b46e41e5c37a46845b4d2f62

SHA512
d4889aff3da2fe9d9cbe175b18793af7e82f0fd6e1fb72ec8aeaf0c8e0872f008beb54a2d44f6fd7f389d0ee104c93ecd1998ddbf4f1d0c7be38e802f5c96895

Download Submit
C:\Program Files (x86)\GOG Galaxy\pcre2-8.dll

Filesize
576KB

MD5
6ff65827e6191c4aebe6d611341ae02e

SHA1
41ecaa87dcc727340e6358251a08d3bab240b58e

SHA256
a149b0e6087f27928cd44ecaf6702399745ceda59001f3918d08f4baacaa7544

SHA512
85d34e0562a72c783ec2ddf2ded5c12ada293032451e4a73b530fffddaca73bbc921d5442b2b18780ae66e41d2c2441a775bbd9b14ddefba2a89984ec282df33

Download Submit
C:\Program Files (x86)\GOG Galaxy\plugins\GalaxyPluginEpic\aiohttp\is-Q958A.tmp

Filesize
987KB

MD5
562e8efa4422fdab66fd48ae64dfc7a5

SHA1
22d7f566adfd42c6c18c5a2e2ccd5d5a3bd49706

SHA256
73185706c9d2aa093c5e0511cee6ff5c52db25228924edb8f3edaf5af913d303

SHA512
b513c177f8dc6edd26391af045bbbd57fc31c3346cc78ae1083373247e08405416198682e773a33991b6f311cd4f65fd2656cb55c63668499494eb7454852f0a

Download Submit
C:\Program Files (x86)\GOG Galaxy\sqlite.dll

Filesize
802KB

MD5
570163e4b53390b17bf78af85e8af01d

SHA1
e642d74d485c4a3ed3a339ff3f2497b06033ccf2

SHA256
dd57aabccc4193e57140f7df1ef9e4e03ff06239a9061ba9760a9a799fa4ba9a

SHA512
6ca6f066ca9ede06947a52b519ffa37570f31add071545ff07a3c19227642cbfc9441805ad9635e6a75be54adbc272283074c0fd347acd99a4924dcbb9d4cecc

Download Submit
C:\Program Files (x86)\GOG Galaxy\web\is-5BHE8.tmp

Filesize
27KB

MD5
240a27d574f21e6dbe82ccfed9d11916

SHA1
bc22e5eb3e1b8c330b667d956118ac3ef1472923

SHA256
e5434b7722d33b1dd24a53bca66e7a746739f5801956fb1ce1ace7b2a1771327

SHA512
071fc1843a8911da9d6d354cec06605feb6a56eb7627f69e2338a57ea7fc3522caf0549c284a8b7f68f18fa284bc3bc51f13dcf6d192b1738d07dcc042b5d8c4

Download Submit
C:\Program Files (x86)\GOG Galaxy\web\locales\pt-PT\is-OPD3C.tmp

Filesize
1KB

MD5
bf804964f529597485b5aa66f76656d8

SHA1
1625addc939cf41ad6677ed2330da32d656d3496

SHA256
4b09dfb390e8e522d12861d0f5e22462658bdacaceaee67bc5132228f9e802d0

SHA512
6c9009c448830cd678be6d6edc28ee5e936ce25ff100c93df66ad24a8f93fc21739ffe80e27d94f400736cf76ae7735ddb7568ffa68ae23a0f566396eb6c4413

Download Submit
C:\Program Files (x86)\GOG Galaxy\xdelta3.dll

Filesize
131KB

MD5
9cfacd6bb21d545f154a3ec82aaf9d93

SHA1
1bbee4abe68031b38256c0f4584adb6aed95ce7b

SHA256
57f498d7770150c5516cccff38dabeb90f54647d8e73a2cd45044155d86ff953

SHA512
71f7d498c4442a6f0956cc030e459c8e53d041ae4e4ab1fe6b4a56d141ae6cee95ef26c10722e11923b9c65a2f90efed94da925095c19b9ec911ca499d84856a

Download Submit
C:\Program Files (x86)\GOG Galaxy\zlib1.dll

Filesize
104KB

MD5
2a92f0dc6dac8545718ee475b7b961ed

SHA1
c154cdcf10e411f1622e29a7f019ae610f35ddf1

SHA256
3c53b164dfaa56213b081c97d388082a3731f064b44bd5cbcf0876b075a3b890

SHA512
190ef026570129f8a9f03e22866fc8b49597644a53d06bb9c1e0cf37edbf689df86de928fb9bf782797262b1fcf85c52e212156eae94af2cd1ae4b25b3298234

Download Submit
C:\ProgramData\GOG.com\Galaxy\changelogs\is-H9A0R.tmp

Filesize
40KB

MD5
0b0e0cddd17466c1e3b81e608e29efc3

SHA1
30120f882defb836ee1cee65eae9bb3771a259b5

SHA256
91a6099a4e818b25085359ab1e6bbb0773503ab0e5cdac21bac0f6720ff21e12

SHA512
362d42f2e974b7536dc154bf4c5057ff737b2ea940e87b00a8b4183542b7ef6f5ab32840b2401523ba5e230509e865c95e65dc0bb0adba97b9433e624f5962dd

Download Submit
C:\ProgramData\GOG.com\Galaxy\config.json

Filesize
268B

MD5
0983ab2871e1f03d0d78954b0e78ded8

SHA1
c15910cdc2a98840d4731cb477d497dfea23387c

SHA256
375a77b239a3564ed9b2c2ebd3607d9faf3d4fddb0db517ba25942e57629f093

SHA512
87a497a9f216fd7dddaa2ef7e0a9ed930ca5634811de5da124b4444b9aea9e755b434770cd6a1921b5f3b7e10fbafab0f442946122765b016f0a28e38e623f3a

Download Submit
C:\ProgramData\GOG.com\Galaxy\config.json

Filesize
333B

MD5
e823d5a016a25d58c4049f9389624685

SHA1
83845b03459ed820e5fa862f8a4c38dca34d58ec

SHA256
f622cfbd3bb53cf4cecc8a29685ee8a4e839548e102e79f97474e83eae2ad894

SHA512
d84f44365f379ec5c69be2025cd226bce995f5731ce3b114bd3b240a287a042e1658cafd8e2edeafe3e164a9610d8ee3d8143e403e58ed26b79f11cc04593f3f

Download Submit
C:\ProgramData\GOG.com\Galaxy\logs\InstallerWebinstaller.log

Filesize
696B

MD5
2bdf4a49716a88a2b28c615b77be32b3

SHA1
ff6198c684338ec3c9d6b376ec3bc2fa47fa4010

SHA256
171d2cfde70003a04429a70ad48978296bcae0dd9ef196dba4b2d12250ee503e

SHA512
118544fe26f82bb44310472eeab65bbe5686adf905067b305529a7240e69e7cecbaa665a74d90dd2c3c3146687ccd02ac5a78a7c5e6bfc80bc8cc237bbcdd7ac

Download Submit
C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe

Filesize
6.8MB

MD5
880582f1109fcd85a0a37cee73c341d4

SHA1
aab9767740e4c5597b91332f1d680b3306ef9a97

SHA256
e4724a1452c799f13e307202383e013302b35e755bc7af267ba3386bee0fd415

SHA512
6d7c1c1884e5b2e71720ba05825f98f2204ae64296819f160db347caf20ad40c7abdcd71f025b3226a28e9f26d403fc8d3d37440c501da43a8889fc111904c4a

Download Submit
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\en-US\is-FTI42.tmp

Filesize
135KB

MD5
35a480f9b79fefcc52fbeb9f407b9ddb

SHA1
71b93366f61ab551728b19839e88307b5ad5660d

SHA256
696168032cb8e76bfeb70892bb7a027e66d9284dd5ee839852f964eed0e5441d

SHA512
2a0972476ee922e80a5303ecec277d57fde355beb2fa6313d4304e63448f9acc46cb36782983e67875fb8bcb1c211ddfa6bc104ee7101d9546ba5d95589d7f0e

Download Submit
C:\ProgramData\GOG.com\Galaxy\webcache\common\Cache\f_000005

Filesize
207KB

MD5
5a641d4af4cd4ebc751c4d0ff5390451

SHA1
0b6d6c07151f9e93e107d97173ea5de6d21c6ff3

SHA256
0e16584de89206c4e127988def8ea28d70bb0ef2dc8c914a2d8dc65a83fd2115

SHA512
4a0c770313c8206e9c878c24e7462cd5ea7af76d418261b503abc576378f59a6963a90a588e0f7ed2aaafbb14daf2d6316b5148998d2fa84c1ac4f58189205fa

Download Submit
C:\ProgramData\GOG.com\Galaxy\webcache\common\Code Cache\js\index-dir\temp-index

Filesize
216B

MD5
27a84a27f209f48a479209da0d5e0521

SHA1
3cdf3d98ce2a2690a55e1a1424e09a8fdcd83bad

SHA256
fff7e156b1bae681103ee779afb58cd0d508cf549b137b1c54d0e695ef1c0a13

SHA512
e84a529bf34cc32157775fc31834c9dff333578f11f158d7362f282c478e20b5ccd37e9f16cf73412c2274ceefd73b7bd7d98abc8a564dde49d92e4d7e5a2fe0

Download Submit
C:\ProgramData\GOG.com\Galaxy\webcache\common\Code Cache\js\index-dir\the-real-index~RFe598776.TMP

Filesize
48B

MD5
d5860b96f38104106e637476487cde33

SHA1
b14e56b1431fd2fd6eb2a1a00e8003b779b16e6c

SHA256
f640237ebb02a96f35f4a685ecbf6bddfd43f4eb69f738006551ccb36b284de6

SHA512
2041c1cb09c989dbf5f71467e20ff85d54953c71b7416a92ecb7191d62ceabb0d8f2a2328eeafeeb579235a08833837abfc165fd4bf2dfdb104acae6de46fab2

Download Submit
C:\ProgramData\GOG.com\Galaxy\webcache\common\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\ProgramData\GOG.com\Galaxy\webcache\common\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\GOG.com\Galaxy\Configuration\config.json

Filesize
2KB

MD5
b9458ee7df2e344cfb7ebca63abce667

SHA1
f14b31b480a196c1b072455a61ef4bd316c0deb9

SHA256
d78056318678cad58d996b46f016dc172e9fcc4eacee69ef4d5417cf115d98c7

SHA512
af03bf595e635cb0b99cf2a23a96de8e343779d797e00054974ab6c3d49421386c16db65a84f63548d76329c52b49ea7a555d6c3627700e90115c7cb2644ec28

Download Submit
C:\Users\Admin\AppData\Local\GOG.com\Galaxy\Configuration\config.json

Filesize
2KB

MD5
1c07a849d7dabee5460ca861a578a795

SHA1
05cf925ef2c58211a87c2d2c56cbc909de4249ad

SHA256
dc1ff826c6b7f3bb7486246067a205f5c58274f8e88801d1d5a3ca74f4efaf25

SHA512
0d8aded38d84eb65026f3a3f3860551d05b3594e0fa7e6a2728ad1cf6d59f5a83c9d7a73c806d9e3f1326760fe1ba2a86223cde7695c93175aa1f62eecc84595

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_xZcUX\GalaxyInstaller.exe

Filesize
566KB

MD5
26d02cc778b804689bda1aafa9a76fb1

SHA1
5452c96593478f59471730366c682da19881051d

SHA256
61eadf4a0bb3710671f5b6f1db10c522a2d0a07177d3b79eb844d7f69d8f8635

SHA512
047ecfb6df19e39579dd2a7359fec312f4dcf2293e9e4f232a22acd37a3c22707ecbf53d6ed0fe44989b8a52502fd43f525e20b85b83f29223205ade6a7aee90

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_xZcUX\icon.ico

Filesize
480KB

MD5
391cf634b3ccf3971811be5ef016fe32

SHA1
8e3023466d02dfb8f2e1b48555b998532dc9a377

SHA256
de9a2072df66c11af8cc255788c4c572f7b45ba7ab19524ad2e01a23f55e9ca8

SHA512
c1594a33efcfac7c6e6935e76ed030855886453b6397ba53a63225efbeb513a1ccb39ea7d528cc43bb1e2b56fd0e02b306e0e65dc6896613c2b4ca6c4a165d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_xZcUX\payload.campaign

Filesize
555B

MD5
7b11a2b50548f6e537f62063817c65f8

SHA1
891b24b24eb7fd5a95e765015763beee27385790

SHA256
891320597758a78ffc1d89c67cbd0b570aa94c32047e6f3ac9121e0d180c1aa9

SHA512
0e93582ec31dff7ed66e5498656a80d245cf34b1ce556864222d7505d9a531cedb9e91590c880a5852cd3a8c351847019d0e69b02240feb4dc257374ecf587e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_xZcUX\remoteconfig.json

Filesize
561B

MD5
068a761b1ea67b67ac574d7a79180949

SHA1
af2d474fe6ddec279f7f4453b3e532279a7d250a

SHA256
a08b8fdc1bb517a3e29c29fac6af7636e475e3e27d66384c4b63bcb326b43b5a

SHA512
88e50fa96b4845f193a6954ee72fcf4ba4f9071dddcdea713f33c0a1381ff7d59fdd706253a3e682f16d10bb90ccae8f3ec24316ca84933b880ccbe75d5e506b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3LCG4.tmp\GalaxySetup.tmp

Filesize
3.3MB

MD5
300342bd92d7c94783a75aef90780d83

SHA1
6c061285e94addf89329f9f2b4c4022eb21a6dde

SHA256
a652e160d8d0bf4c4e2585506635c25425a508d2430fd00e1aa913111ad0dba9

SHA512
4f5f63f42033f83e02338372a216c0b6f3233defe7b91488d0c850f72090a85d7c575092cb77a0639b423236831092447d388f51b076a7649b862c2b021f372d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OMUOO.tmp\VC_redist.x64.exe

Filesize
14.3MB

MD5
1e7bd6790391b5b710c6372ab2042351

SHA1
75f1aee6dccf3d6e6ac49926563737005b93ba13

SHA256
952a0c6cb4a3dd14c3666ef05bb1982c5ff7f87b7103c2ba896354f00651e358

SHA512
ae3860a060be483c9fcbcf6a41f561faf2cd681f39138dd13a563e3f39cf4b4f41e7c0f7b58bc8b585b2728245025be4b198f06634a97fa98847258272f9f59b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OMUOO.tmp\VC_redist.x86.exe

Filesize
13.8MB

MD5
3aa2d769397da14166eacdb3640458ee

SHA1
b38b7fc28c5e2ef157f93297036202911d2fc2bf

SHA256
b4d433e2f66b30b478c0d080ccd5217ca2a963c16e90caf10b1e0592b7d8d519

SHA512
404d2301c4719b8791639e8100eff6df7cd9c3ca62ad0a5c7ac8252f8adc2601aeefe83da982a409b9e3d901f74518ff98d2af5ebdd8cc77067be39c20eb1c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OMUOO.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3b94415067dd2c5d.customDestinations-ms

Filesize
5KB

MD5
96dd80972b008f7531b1c14b52c49559

SHA1
862d800319898af13cde9523456eefeece311127

SHA256
9d3761eb7baf7b6f5eb3153abe366fba17cebc172ab65a2915fed7039daca835

SHA512
349c577d98ba5c30edf0d8581e32638f4c40aeced6ab53848a5091d38a11c98c372eef7b24790c796fc440c95ab7ff895464e5199cf9f559b51e43ee64cee7f2

Download Submit
C:\Windows\Temp\{01FABDE2-65D9-4508-A278-E27E59F0D7D2}\.cr\VC_redist.x64.exe

Filesize
632KB

MD5
1d7599c4a31b82e70308c022e9494011

SHA1
7d04a03d5502df2838d40dd131b1cae226cb5205

SHA256
21d2935d29c807a3a56c406849b97dbc7f720822920930d0e2b13a44203c107c

SHA512
080ff020e0d2d9c0ce6beee8143c0f49e1b4450baa08072a8662f4b25ad6b034ee0ad174f2d4acd5b011cb8fb140656755007e245673f7677964b9e99555ab08

Download Submit
C:\Windows\Temp\{472155DB-2C8B-4630-9A98-98FAE22EDA50}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{472155DB-2C8B-4630-9A98-98FAE22EDA50}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{ACBB58C6-23D1-4791-BBFF-37BA16B735E0}\.cr\VC_redist.x86.exe

Filesize
632KB

MD5
68f7654abfd77baade7a36e1d718ebc4

SHA1
eabba5cb899aee962f85b52e359c9f85d83771b6

SHA256
5b60b35079913ba1e00cddf762c1759650de8a3c2b76e373b996ced4843becdb

SHA512
b48c4ba6112e7ac1dae5846eb41812d265a72fc13966c8f8bdf7099fec88d27b414fe566905a6eea4e2f574c379fe87059018c8a365bed55a46eea9a42b38889

Download Submit
memory/1548-1281-0x0000000000400000-0x0000000000765000-memory.dmp

Filesize
3.4MB

Download
memory/1548-73-0x0000000000400000-0x0000000000765000-memory.dmp

Filesize
3.4MB

Download
memory/1548-2616-0x0000000000400000-0x0000000000765000-memory.dmp

Filesize
3.4MB

Download
memory/1548-2610-0x0000000000400000-0x0000000000765000-memory.dmp

Filesize
3.4MB

Download
memory/1548-2598-0x0000000000400000-0x0000000000765000-memory.dmp

Filesize
3.4MB

Download
memory/1548-79-0x0000000000400000-0x0000000000765000-memory.dmp

Filesize
3.4MB

Download
memory/3516-36-0x00007FFCB6D23000-0x00007FFCB6D25000-memory.dmp

Filesize
8KB

Download
memory/3516-2624-0x00007FFCB6D20000-0x00007FFCB77E1000-memory.dmp

Filesize
10.8MB

Download
memory/3516-76-0x00007FFCB6D20000-0x00007FFCB77E1000-memory.dmp

Filesize
10.8MB

Download
memory/3516-16-0x0000000000040000-0x00000000000D0000-memory.dmp

Filesize
576KB

Download
memory/3516-17-0x00007FFCB6D20000-0x00007FFCB77E1000-memory.dmp

Filesize
10.8MB

Download
memory/3516-37-0x00007FFCB6D20000-0x00007FFCB77E1000-memory.dmp

Filesize
10.8MB

Download
memory/3516-42-0x00007FFCB6D20000-0x00007FFCB77E1000-memory.dmp

Filesize
10.8MB

Download
memory/3516-15-0x00007FFCB6D23000-0x00007FFCB6D25000-memory.dmp

Filesize
8KB

Download
memory/3516-30-0x000000001D760000-0x000000001DC88000-memory.dmp

Filesize
5.2MB

Download
memory/3516-29-0x000000001D060000-0x000000001D222000-memory.dmp

Filesize
1.8MB

Download
memory/4588-71-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/4588-56-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/4588-2617-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/4732-34-0x0000000000400000-0x0000000000641000-memory.dmp

Filesize
2.3MB

Download
memory/4732-2627-0x0000000000400000-0x0000000000641000-memory.dmp

Filesize
2.3MB

Download
memory/4732-0-0x0000000000400000-0x0000000000641000-memory.dmp

Filesize
2.3MB

Download